b'   U.S. DEPARTMENT OF COMMERCE\n             Office of Inspector General\n\n\n\n\n        Bureau of Export Administration\n\n\n                 BXS Needs to Strengthen\n          Its ECASS Modernization Efforts\nTo Ensure Long-Term Success of the Project\n      Final Inspection Report No. IPE-14270/February 2002\n\n\n\n\n                   Office of Inspections and Program Evaluations\n\x0c                                                        UNITED STATES DEPARTMENT OF COMMERCE\n                                                        The InspectDr General\n                                                        Washington. 0 C. 20230\n\n\n\n\n\xe2\x80\xa2   February 12,2002\n\n\n    MEMORANDUM FOR:\t               Kenneth I. Juster\n                                   Under Secretary for Export Administration\n\n\n    FROM:\n                                                                             y~\n\n\n    As a follow up to our December 21, 2001, draft report, attached is a final copy of the\n    third report required by the National Defense Authorization Act for Fiscal Year 2000. As\n    you know, this legislation mandates that by March 30 of each year through 2007, we\n    issue a report to the Congress, in conjunction with the Offices of Inspectors General\n    (OIG) at the Departments of Defense, Energy, State, and the Treasury, on the policies and\n    procedures of the U.S. government with respect to the export oftechnologies and\n    technical information to countries and entities of concern. This third report focuses on  ,\n    BXA\'s efforts to modernize its dual-use export licensing system, including whether BXk"\n    has considered the feasibility of developing a single federal dual-use export licensing\n    system or other alternatives. The report includes comments from your January 22, 2002,\n    written response to our draft report. A copy of your response is included as an appendix\n    to this report. This report will also be issued as part of an interagency OIG report on\n    federal automated export licensing systems.\n\n    We are pleased that you are generally in agreement with many of the recommendations\n    we made to help improve the dual-use export licensing automated systems. However, we\n    want to emphasize that this project Will need dedicated resources over the next several\n    years in order for it to be successfully completed by fiscal year 2006. In addition, as the\n    agency charged with administering the dual-use export control process, we believe that it\n    is especially important for BXA to better coordinate its ECASS redesign efforts with the\n    interagency export licensing community. After carefully considering your response to\n    our draft report, we have made some adjustments in our final report. We request that you\n    provide us with an action plan addressing the recommendations in our report within 60\n    calendar days.\n\n    We thank you and your staff for the assistance and courtesies extended to us during our\n    evaluation. If you have any questions about our report or the requested action plan,\n    please contact me at (202) 482-4661, or Jill Gross, Assistant Inspector General for\n    Inspections and Program Evaluations, at (202) 482-2754.\n\n    Attachment\n\n\n\n\xe2\x80\xa2\n       .J\n\x0c\xe2\x80\xa2\t   U.S. Department of Commerce\n     Of/i\xc2\xa3e of Inspector General\n\n\n\n                                       TABLE OF CONTENTS\n                                                                               Final Report IPE-14270\n                                                                                        February 2002\n\n\n\n\n     EXECUTIVE SlJM1I.1ARY\t                                                                         i\n\n\n     INTRODUCTION\t                                                                                  1\n\n\n     OBJECTIVES, SCOPE, AND t-.1ETHODOLOGY\t                                                        2\n\n\n     BACKGROUND\t                                                                                   3\n\n\n     FINDINGS AND CONCLUSIONS\t                                                                     9\n\n     I.\t    BXA Has Made Progress on ECASS 2000+ Project..                                         9\n\n            A.\t  Appointing an ECASS 2000+ project manager\n\n                 brought direction to the redesign effort                                          9\n\n            B.\t  Exporters will soon be able to submit all license applications\n\n                 and supporting documentation on-line                                             10\n\n            C.   BXA has selected software for its new investigative tracking system              11\n\n\n\n\n\xe2\x80\xa2\n          D.\t  BXA has begun linking strategic planning, budgeting, and IT planning             12\n\n\n     II.\t   BXA   Needs Better Planning to Ensure Long-Term Success of the Project.               13\n\n            A.\t    BXA\'s initial business process reengineering efforts were incomplete           13\n\n            B.\t    BXA needs to update its cost estimates                                         16\n\n            C.\t    Some ECASS 2000+ requirements need to be validated and specified               18\n\n                   1.\t   User validation is needed for licensing subsystem                        18\n\n                   2.\t   IT security requirements need to be specified and documented             21\n\n\n     m.\t    BXA Needs to Strengthen its Modernization Effort by Implementing Established IT\n\n            Management Best Practices                                                             25\n\n\n     IV.\t   Interagency Cooperation on Planning, Design, and Development Has Been Mixed ........ 29\n\n\n     RECOMMENDATIONS\t                                                                             34\n\n\n     APPENDIXES\n            A.\t     Status of 1999 Internal Control Recommendations                               36\n\n            B.\t     List of Acronyms                                                             .42\n\n            C.\t     Agency Response                                                              .43\n\n\n\n\n\n\xe2\x80\xa2\n\n\x0c..\n\n\n\n\xe2\x80\xa2\n\n      U.S. Department of Commerce                                                  Final Report IPE\xc2\xb714270\n\n      O(JU:e ofInspector General                                                            February 2002\n\n\n\n\n                                           EXECUTIVE SUMMARY\n\n      The House and Senate Anned Services Committees, through the National Defense Authorization\n      Act for Fiscal Year 2000, directed the Inspectors General of the Departments of Commerce,\n      Defense, Energy, and State, in consultation with the Director of Central Intelligence and the\n      Director of the Federal Bureau of Investigation, to assess the adequacy of export controls and\n      counterintelligence measures to prevent the acquisition of militarily sensitive U.S. technology\n      and technical information by countries and entities of concern. l The legislation mandates that the\n      Inspectors General report to the Congress by March 30 of each year until 2007.\n\n      For 2002, the OIGs agreed to conduct an interagency review of the various automated export\n      licensing systems maintained by the federal licensing agencies-to determine how the systems\n      interact and whether it is feasible to develop a single federal automated export licensing network\n      or other alternatives. Each OIG also looked at its own agency\'s efforts to modernize its export\n      licensing system. As such, our overall objective was to assess BXA\'s efforts to modernize its\n      Export Control Automated Support System (ECASS). In particular, we sought to determine\n      whether:\n\n             BXA adequately considered business process changes and appropriate resources for the\n             life cycle of the project.\n\n      \xe2\x80\xa2:.    BXA had an infrastructure in place to monitor project costs, schedule, and deliverables.\n\n      \xe2\x80\xa2:.    BXA\'s system design schedule was realistic, achievable, and on time.\n\n      \xe2\x80\xa2:.    BXA implemented previous OIG recommendations pertaining to the modernization of the\n             export licensing system and other internal control issues (see Appendix A).\n\n      Based on our evaluation, we are pleased to note that BXA has made progress in its redesign\n      effort. However, we want to emphasize that for the project to be successful, it will need\n      dedicated resources and continuous oversight by BXA management and the Department. Our\n      specific observations follow:\n\n      BXA Has Made Progress on ECASS 2000+ Project\n\n      We identified several areas where BXA has made progress on its ECASS 2000+ project. First,\n      BXA\'s appointment of a project manager in March 2000 has brought direction and stability to a\n      redesign effort that had lacked adequate leadership from early 1998 to March 2000. Second,\n\n\n\n\n-.\n          \'Public Law 106-65, October 5, 1999.\n\x0c"\n\n\n\n\n\xe2\x80\xa2\n    U.S. Depat1ment of Commerce                                                           Final Report IPE\xc2\xb714270\n    Office of Inspector General                                                                    February 2002\n\n\n\n    BXA and the U.S. Department of Defense\'s USXPORTS 2 office are developing a "front-end"\n    licensing subsystem, known as SNAPIESD,3 that will allow exporters to submit on-line, for the\n    first time, all types of license applications as well as the corresponding supporting\n    documentation. Third, BXA selected software in August 2001 for its new Export Enforcement\n    Investigative Tracking System, scheduled to be implemented in June 2002. Fourth, during its\n    fiscal year 2003 budget planning cycle, BXA established a Capital Planning Team to coordinate\n    its strategic planning, annual budgeting, and information technology functions (see page 9).\n\n    BXA Needs Better Planning to Ensure Long-Term Success of the Project\n\n    As BXA completes and implements its new ECASS 2000+ system over the next several years,\n    thorough planning will be key to the project\'s long-term success. However, we found BXA\n    could improve its planning of the ECASS 2000+ project in several areas. First, although BXA\'s\n    1998 business process reengineering study was clearly valuable in terms of defining and\n    redesigning BXA\'s key business processes, we found that it was (I) too narrow in scope and\n    (2) not adequately addressed by BXA management. Second, we found that BXA is redesigning\n    its current ECASS system based on a cost-benefit analysis that is outdated both in terms of costs\n    and proposed requirement changes. In addition, BXA recently increased its baseline for ECASS\n\n\n\n\xe2\x80\xa2\n    2000+ from $6 million in 1998 to $7.5 million in 2001 without preparing adequate cost\n    estimates. As a result, BXA does not know (1) what funding levels are needed or (2) whether the\n    $7.5 million will be sufficient to complete ECASS 2000+ by fiscal year 2006. Third, we\n    determined that not all of the ECASS 2000+ requirements have been adequately specified.\n    Specifically, we found (1) minimal user involvement in preparing requirements for the licensing\n    subsystem and (2) the information technology security requirements had not been specified\n    (see page 13).\n\n    BXA Needs to Strengthen its Modernization Effort by Implementing Established IT\n    Management Best Practices\n\n      While the ECASS 2000+ project officially began in March 2000, BXA still has not completed\n      key system management processes and documentation needed to better manage the redesign\n    . effort. As of September 30, 2001, the ECASS 2000+ project lacked adequate management tools,\n      including (1) a configuration management process, (2) a risk management process, (3) a software\n      acquisition training program for its project team members, (4) a project management plan, and\n      (5) target architecture. These are requisite management tools for systems development, as\n      identified by the Office of Management and Budget\'s Chief Information Officers Council, the\n\n\n             \'USXPORTS is an interagency program office established by the Department of Defense to modernize the\n    interagency export licensing systems.\n             \'SNAPIESD is the Simplified Network Application Processing (SNAP) system and the Electronic Support\n\n\n\n\n\xe2\x80\xa2\n    Documentation (ESD) system.\n                                                          ii\n\x0c\xe2\x80\xa2\n    U.S. Depar1ment of Commerce                                                        Final Report IPE\xc2\xb7I4270\n    O/lice ofInspector General                                                                  February 2002\n\n\n\n    General Accounting Office, and the Department of Commerce\'s Office of Chief Information\n    Officer. The ECASS 2000+ project manager acknowledges that these management tools need to\n    be instituted but informed us that the lack of resources dedicated to this project have made it\n    difficult to manage and oversee the redesign effort and perform the needed functions in a timely\n    manner (see page 25).\n\n    Interagency Cooperation on Planning, Design, and Development Has Been Mixed\n\n    While our 1999 export licensing report4 recognized the need for an ECASS replacement, it also\n    raised concerns about the multiple and distinct automation efforts underway at that time by the\n    various export licensing agencies. At that time, we recommended that BXA coordinate its\n    system development efforts with the other export licensing agencies, to maximize efficiencies\n    and savings as well as acquire a more integrated licensing system. Since then, BXA has\n    participated in and coordinated with some interagency modernization efforts. However, it has\n    not involved the other licensing agencies in its own redesign effort beyond SNAPIESD. In\n    addition, we are concerned that BXA may not adequately consider other system alternatives for\n    its license processing needs beyond enhancing the interfaces with the existing licensing systems\n    (see page 29).\n\n    On page 34, we offer recommendations to the Under Secretary for Export Administration to\n    address the concerns raised in this report.\n\n                                       -~=_"""", ..;;c=~-     .\n    In BXA\'s January 22, 2002, written response to our draft report, the Under Secretary for Export\n    Administration generally agreed with most of our recommendations. BXA\'s response outlined\n    additional actions taken since the conclusion of our review that demonstrate its commitment to\n    ensure the long-term success of its redesign effort. However, we want to emphasize that this\n    project will need dedicated resources over the next several years in order for the project to be\n    successfully completed by fiscal year 2006. In addition, we want to reiterate the need for BXA to\n    better coordinate its ECASS redesign efforts with the interagency export licensing community.\n\n    To address BXA\'s comments, we have made changes to the report, where necessary. BXA\'s\n    response has been included as Appendix C to this report.\n\n           4Improvements Are Needed to Meet the Expon Licensing Requirements ofthe 21" Century, U.S.\n    Deparnnent of Commerce Office of Inspector General, IPE-1I488, June 1999.\n\n\n\n\n\xe2\x80\xa2                                                       iii\n\x0c\xe2\x80\xa2\n    U.S. Department of Commerce                                                             Final Report IPE-14270\n    Of./ke o(lnspector General                                                                       February 2002\n\n\n\n                                                INTRODUCTION\n\n    The Inspectors General of the Departments of Commerce, Defense, Energy, State and the\n    Treasury, in consultation with the Director of Central Intelligence and the Director of the Federal\n    Bureau of Investigation, are required by the National Defense Authorization Act for Fiscal Year\n    2000 to conduct an eight-year assessment of the adequacy of current export controls and\n    counterintelligence measures to prevent the acquisition of sensitive U.S. technology and\n    technical information by countries and entities of concern.\n\n    The above legislation mandates that the Inspectors General report to the Congress no later than\n    March 30 of each year, until 2007, on the status of efforts to maintain and improve export\n    controls. To comply with the act\'s 2000 requirement, each OIG reviewed certain aspects of its\n    agency\'s export controls and counterintelligence measures and reported on its findings. The\n    result was two interagency reports highlighting crosscutting issues.s Our report focused on three\n    activities that the Commerce Department, principally through the Bureau of Export\n    Administration, carries out or participates in to help prevent the illicit transfer of sensitive\n    technology. Those activities include (1) deemed export controls,6 (2) the Visa Application\n    Review Program, and (3) the Committee on Foreign Investment in the United States. 7\n\n    To meet the act\'s 2001 requirement, the OIGs conducted an interagency review of the Commerce\n    Control List and the U.S. Munitions List. s This review looked at BXA\'s policies and procedures\n    for the design, maintenance, and application of the Commerce Control List. 9 For 2002, the OIGs\n    agreed to conduct an interagency review of the various automated export licensing systems\n    maintained by the federal licensing agencies to detennine how the systems interact and whether it\n\n\n\n\n             \'Interagency Review ofthe Export Ucensing Process for Foreign National Visitors, conducted by the\n    Offices of Inspector General at the u.s. Departments of Commerce, Defense, Energy, and State, D-2ooo-1 09, March\n    2000, and Interagency Inspector General Assessment ofMeasures to Protect Against the lllidt Transfer ofSensitive\n    Technology, conducted by the Offices of Inspector General at the U.S. Departments of Commerce, Defense, Energy,\n    State, and the Treasury, and the Central Intelligence Agency, OO-OIR-06, March 2000.\n             \'According to the Export Administration Regulations, any release to a foreign national of technology nr\n    software subject to the regulations is deemed to be an export to the home country of the foreign national.\n             \'Improvements Are Needed to Programs Designed to Protect Against the Transfer ofSensitive\n    Technologies to Countries ofConcern, U.S. Department of Commerce Office of Inspector General, IPE-12454-1,\n    March 2000.\n             \'Interagency Review ofthe Commerce Control Ust and the U.S. Munitions Ust, conducted by the Offices\n    of Inspector General at the U.S. Departments of Commerce, Defense, Energy, and State, Report No. D-2ool-Q92,\n    March 2001.\n             9Management ofthe Commerce Control Ust and Related Processes Should Be Improved, U.S. Department\n    of Commerce Office of Inspector General, IPE-13744, March 200 1.\n\n\n\n\n\xe2\x80\xa2                                                          1\n\x0c\xe2\x80\xa2\n\n     u.s. Department of Commerce                                                  Final Report IPE-I4270\n     O/fiee of Inspector General                                                           Februory 2002\n\n\n\n     is feasible to develop a single federal automated export licensing network or other alternatives.\n     We conducted a program evaluation that focused on BXA\'s efforts to modernize its aging Export\n     Control Automated Support System (ECASS).\n\n     Program evaluations are special reviews that the OIG undertakes to give agency managers timely\n     information about operations, including current and foreseeable problems. By highlighting\n     problems, the OIG hopes to help managers move quickly to address them and to avoid similar\n     problems in the future. The evaluations are also conducted to encourage effective, efficient, and\n     economical operations and to detect and prevent fraud, waste, and abuse. Program evaluations\n     may also highlight effective programs or operations, particularly if they may be useful or\n     adaptable for agency managers or program operations elsewhere.\n\n     We conducted our evaluation from April 18 through September 30,2001. This evaluation was\n     conducted in accordance with the Quality Standards for Inspections issued by the President\'s\n     Council on Integrity and Efficiency, and was performed under the authority of the Inspector\n     General Act of 1978, as amended, and Department Organization Order 10-13, dated May 22,\n     1980, as amended. At the conclusion of the evaluation, we discussed our findings and\n     conclusions with the Under Secretary for Export Administration and other key BXA and\n\n\n\n\xe2\x80\xa2\n\n     Commerce officials.\n\n                           OBJECTIVES, SCOPE, AND METHODOLOGY\n\n     The overall objective of our program evaluation was to assess BXA\'s efforts to modemize its\n     export licensing system for dual-use commodities (goods and technologies determined to have\n     both civilian and military use). The scope of our evaluation included resolving whether BXA\n     had considered the feasibility of developing a single federal dual-use export licensing system or\n     other alternatives. In particular, we sought to determine whether BXA:\n\n     .:.    adequately planned for the redesign effort, including whether it properly considered\n            business process changes and appropriate resources for the life of the project;\n\n     .:.    had an infrastructure in place to monitor project costs, schedule, and deliverables;\n\n     .:.    developed a system design schedule that was realistic, achievable, and being met; and\n\n     .:.    implemented previous OIG recommendations pertaining to the replacement of the export\n            licensing system and other automation issues.\n\n     To coordinate the review of interagency issues and determine the work to be performed by each\n     DIG team, the five OIGs formed an interagency working group and held monthly meetings\n\n\n\n\xe2\x80\xa2\n                                                   2\n\x0c\xe2\x80\xa2\n    u.s. Department of Commerce                                                                FilUll Repor1IPE\xc2\xb7I4270\n    O(fi\xc2\xa3e ofInspector General                                                                           February 2002\n\n\n\n    during the review. Similar to the approach adopted for last year\'s reporting requirement, the five\n    OIGs decided that each would issue a report on the findings of its agency review. In addition, all\n    five would contribute to and approve a consolidated report on any crosscutting issues, including\n    an assessment of the U.S. Export Systems (USXPORTS) Interagency Program Management\n    Office, a Defense program established in May 2000 to modernize the interagency export\n    licensing systems.\n\n    Our review methodology included interviews with various BXA officials, including senior\n    managers, licensing and enforcement officials, and BXA contractors. We also spoke with\n    officials from the Departments of Defense, Energy, Justice, State, and the Treasury, as well as the\n    Office of Management and Budget (OMB) and the General Accounting Office (GAO). In\n    addition, we met with staff from the Department\'s Office of Chief Information Officer (CIO),\n    Office of Budget, Office of the Secretary, and Information Technology (IT) Enterprise\n    Architecture Affinity GrOUp.1D We also reviewed ECASS 2000+ and USXPORTS documents\n    available prior to September 30,2001. Furthermore, we reviewed departmental, GAO, OMB,\n    and congressional guidance on implementing and managing system development efforts.\n\n    Finally, we followed up on ECASS internal control recommendations made in our 1999 report ll\n\n\n\n\xe2\x80\xa2\n    on the export licensing process (see Appendix A).\n\n                                                   BACKGROUND\n\n    The United States controls the export of dual-use commodities for national security, foreign\n    policy, and nonproliferation reasons under the authority of several different laws. The primary\n    legislative authority for controlling the export of dual-use commodities is the Export\n    Administration Act of 1979, as amended. 12 Under the act, BXA administers the Export\n    Administration Regulations by developing export control policies, issuing export licenses, and\n    enforcing the laws and regulations for dual-use exports.\n\n\n\n\n            "\'The IT Enterprise Architecture Affinity Group was established to oversee all systems architecture plans by\n    Commerce agencies.\n            "Improvements Are Needed to Meet the Export Licensing Requirements ofthe 2I~ Century, U.S.\n    Department of Commerce Office of Inspector General, IPE-11488, J nne 1999.\n            "Although the act last expired on August 20. 2001, the President has extended existing export regulations\n    under Executive Order 13222, dated August 17. 2001. invoking emergency authority contained in the International\n    Emergency Economics Powers Act.\n\n\n\n\n\xe2\x80\xa2                                                            3\n\x0c\xe2\x80\xa2   U.S. Department of Commerce\n    Office of Inspector General\n\n\n\n    BXA\'s Automated Export Licensing System\n                                                                                                                                                                                            Final Report IPE-I4270\n                                                                                                                                                                                                     February 2002\n\n\n\n\n    BXA developed ECASS in 1984 to expedite the license approval process and better serve the\n    U.S. exporter. ECASS is a large database designed to process, store, and transmit dual-use\n    export licensing information. It is housed on a mainframe at the Commerce computer center in\n    Springfield, Virginia. ECASS is an unclassified system supporting more than 600 users,\n    including BXA headquarters and field offices; the CIA; and the Departments of Defense, Energy,\n    Justice, State, and the Treasury. (See Figure 1.) During its lifetime, ECASS has been upgraded\n    to permit manual, electronic, and optical character recognition data entry of license applications\n    and commodity classification requests.\n\n    F\', "ure 1\n\n                                                        ECASS Database Configuration\n                                                                                                                                                                                             Data Users:\n                                                                                 Springfield Computer Center\n        Data Sources:                                                                                                                                                                        -BXA\n                                                                                                                                                                                             -CIA\n        Paper Applications                    .._......... _............                            Mainframe\n                                                                            ...................- ............................_-.................................................   ~\n                                                                                                                                                                                             -Customs\n        Automated                                                                                                            ECASS                                                      ,    -Defense\n        Applications/Vendors                                                                                                                                                                 -Energy\n                                                                                                                  Subsystems:                                                                -Justice\n                                                                                                                  -LOA\n\n                       +\n\n                BXA Network                                 Model 204\n\n                                                                                                 -\'~              -Enforce\n                                                                                                                  -Follow-up\n                                                                                                                  -STELA\n                                                                                                                                                                                             -State\n\n\n           -   ._-._-------------\xc2\xad                                                                                -Reports\n                Dial-up Lines        ~                        Software\n                   f-                                                                                            ~      Export Licenses\n\n\n                                                                                                                  Files:\n\n                      ~\n                                                                                          -LARS\n\n                Data Users:\n                                                                                                 \'-\'~             -Locator\n                                                                                                                  -Tables\n                                                                                                                                                                                   I    ~\n                                                                                                                                                                                               Congressional\n                                                                                                                                                                                                 Reports\n\n                Defense                                                                                           -Export\n                CIA                                                                                               -Consignee\n                                                                                                                                                                                                BXA Internal\n                Energy\n                                                                                                                                                                                    I   ~\n                                         ~   ..._...   __.........................................._............................   .......................... ......................J\n                                                                                                                                                                                                  Reports\n\n\n\n\n       Subsystems\n                                                                                             I LEGEND I                                    Files\n       LOA       licenSing Officer Access                                                                                                  LARS                      License application information\n       Enforce   Export Enforcement interface to LOA                                                                                      Locator                    Tracks license history\n       Follow-up Exporter follow-up requirements                                                                                          Tables                     List of system users\n       STELA     System for Tracking Export License Applications                                                                          Export                     List of exporter names and addresses\n       Reports   BXA reports for user requests                                                                                            Consiqnee                  List of consiqnee names and addresses\n\n\n\n    Source: Office of the Chief Information Officer, Bureau of Export Administration.\n\n\n\n\n\xe2\x80\xa2                                                                                                                     4\n\x0c\xe2\x80\xa2\n    u.s. Department of Commerce                                                            Final ReporlIPE.14270\n    Office of Inspector General                                                                    February 2002\n\n\n\n    Automated Interfaces between ECASS and the Interagency Export Licensing Community\n\n    On December 5, 1995, the President issued Executive Order 12981, in response to the need for\n    more transparency in the dual-use export license process. Specifically, it authorizes the\n    Departments of Defense, Energy, and State to review any license application submitted to the\n    Department of Commerce under the Export Administration Act. In addition, the Executive\n    Order authorizes the Department of Justice to review any export license applications pertaining\n    to encryption items.\n\n    Both State and Justice have direct access to the ECASS system and use it to process license\n    applications referred to them. However, because Defense and Energy have classified systems,\n    ECASS\'s export license information is sent to these agencies via dial-up lines to stand-alone\n    personal computers. The information is then put on a disk and uploaded to their respective\n    classified systems, thereby ensuring the integrity of their systems.\n\n    BXA also sends certain license applications to the CIA\'s Weapons Intelligence,\n    Nonproliferation, Arms Control group for an end user review. Like Defense and Energy, this\n    system is also classified and export license data is sent via a dial-up line to a CIA stand-alone\n    computer.\n\n    Finally, BXA electronically transmits validated licensing information (for cases approved,\n    denied, or returned without action) over a dedicated 56K data line to the Department of the\n    Treasury\'s U.S. Customs Service on a daily basis. The data is then entered into the Customs\n    Service\'s Treasury Enforcement Communications Systems (TECS) database. 13 Figure 2\n    identifies the agencies involved in the export licensing process and the interfaces used to transmit\n    data back and forth.\n\n\n\n\n             "TEes was created to provide multi-agency access to a common database of enforcement data supplied by\n    various law enforcement agencies.\n\n                                                          5\n\n\x0c\xe2\x80\xa2   U.S. Department of Commerce\n    OffICe of Inspector General\n\n\n\n    Figure 2\n                                                                                                                            Final Report IPE\xc2\xb714270\n                                                                                                                                     Febrnary 2002\n\n\n\n\n                                               Current Automated Interfaces Used\n                                                in the Dual-Use Licensing Process\n\n               Defense\n            (RJRDTISrrPS)\n                                    ... ------,                ~.\n                                                               Paper and Electronic\n                                                                                                                        ~\n\n                                                                                                                            ,\n\n                                                                                                                                I\n                                                                                                                                           StOte \'\n                                                                                                                                      (ECASS)              iI\n        I      Classified\n                               I                                  Applications                                                       Uoclassified\n\n\n\n\n                                                                           i                                                                                 ..\xe2\x80\xa2.\n                                                                                                                                                           ~r1,\n                 Energy\n                 (PINS)\n             .---- --------.                   Commerce\n                                                                       (EeASS)\n\n\n                                                                                                                                I\n                                                                                                                                        Justice\n                                                                                                                                      (ECASS)\n\n                                                                                                                                     Unclassified\n                                                                                                                                                           .;;\xc2\xa51\n\n\n                                                                                                                                                           r\n        I       Classified\n\n                                    I                      I\n                                                                      Unclassified\n                                                                                      I\n\n                                    .----\xc2\xad\n                                                                               ....\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2...\xe2\x80\xa2..\xe2\x80\xa2...\xe2\x80\xa2.\xe2\x80\xa2... "\n                                                                                                                                    .\n\xe2\x80\xa2\n                                                                            Ir\n                CIA\n                                                               /\n              (EXCON)                                                                        ;.<"t\' \xe2\x80\xa2\n                                                                         Industry                                                                    "\',\n                                                                                                                                Treasury\n        I     Classified\n                               I                                   Paper and Electronic\n                                                                        Licenses\n                                                                                                                                (TEeS)               .\n                                                                                                                                                     I\n                                                                                                                   I        Uncla<;sified\n\n\n        lLEGEND                Ii                  ECASS\n                                                   EXCON\n                                                                       Export Control Automated Suppan System\n                                                                       Export Control Syslem\n        \xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2\xe2\x80\xa2      .56K Data Line                   PINS                ProliferatioD Information Network System\n        - -\n        ----\n                   Direct Access                   roRDTlSrrPS         Foreign Disclosure and Tcchnicallnfonnation Systeml Technology Protection System\n                   Dial-up to Stand-AloDe PC       TICS                Treasury Enforcement CollllIlllD..icaLions System\n\n    I\n    Source: Commerce Office of Inspector General.\n\n    ECASS Limitations\n\n    During its lifetime, ECASS has been upgraded to pennit manual, electronic, and optical character\n    recognition data entry of export and re-export license applications, commodity classifications,\n    special comprehensive and deemed export licenses, and agriculture license exception notices.\n    However, our June 1999 export licensing report identified many reasons why ECASS is not an\n    effecti ve system for the current era of license processing. Those limitations still exist. For\n    example:\n\n\n\n\n\xe2\x80\xa2                                                                            6\n\x0c\xe2\x80\xa2\n    U.S. Department of Commerce                                                             Final Report JPE\xc2\xb7J4270\n    Office of J nspeclor General                                                                     FebTlUlry 2002\n\n\n\n    .:.     ECASS has limited query capability. As such, it is difficult for licensing officers to\n            obtain historical information on a commodity, consignee, or end user necessary to make\n            the most informed licensing decision.\n\n    \xe2\x80\xa2:\xc2\xad     ECASS has limited text capability. Specifically, it does not allow licensing officers to\n            incorporate detailed text into the license record.\n\n    \xe2\x80\xa2:.     ECASS has no modern interfaces. Licensing officers must exit the database every time\n            they want to use any applications such as word processing.\n\n    \xe2\x80\xa2:.     ECASS lacks on-line access to exporter technical specifications. Licensing officers at\n            both BXA and referral agencies cannot review exporter technical specifications on-line\n            through ECASS. Therefore, BXA must make copies and distribute the technical\n            specifications as hard copy to the applicable referral agencies, a time-consuming task.\n\n            ECASS has limited access to outside databases. ECASS does not allow its users to\n            obtain information from outside databases, such as Dun and Bradstreet, and directly input\n            the information into a license application file. Licensing officers and supervisors must\n            obtain information outside of ECASS and then "cut and paste" information into the\n            system.\n\n    Prior DIG Recommendations to Improve Interfaces Among the Various Licensing Systems\n\n    We issued two prior OIG reports recommending improvements to ECASS and its interfaces with\n    the referral agencies\' licensing systems. First, in our 1993 special interagency DIG report on the\n    export licensing process,14 we determined that officials at the Departments of Defense, Energy,\n    and State needed to develop procedures to reconcile each agency\'s database information\n    contained in ECASS. We also recommended that BXA establish an interagency working group,\n    including Defense, Energy, and State, to determine the need for, the feasibility of, and the\n    benefits to be derived from the expanded use of ECASS for dual-use export licensing\n    information. At that time, all four agencies agreed that all database records should be consistent\n    and that a working group should be established.\n\n    However, our 1999 report on the export licensing process found that while the export licensing\n    process was working reasonably well, the agency automation systems lagged behind.\n    Furthermore, we found that the export licensing agencies were not coordinating their systems\n\n\n            14The Federal Government\'s Export Licensing Processes for Munitions and Dual-Use Commodities,\n    conducted by the Offices of Inspector General at the U.S. Departments of Commerce. Defense. Energy, and State,\n    September 1993.\n\n\n\n\n\xe2\x80\xa2                                                          7\n\x0c\xe2\x80\xa2\n     U.S. Depal1ment of Commerce                                                            FilUll Report IPE\xc2\xb714270\n     Office of Inspector General                                                                      February 2002\n\n\n\n     development efforts with each other. At that time, we recommended that BXA coordinate its\n     system development efforts with the other licensing agencies and again encourage those agencies\n     to establish an interagency steering committee to review the automation portion of the export\n     licensing process, from coordinating common system architecture requirements to detennining\n     how interagency resources could be used to fund and implement a new system.\n\n     Since that time, BXA has made some progress in its redesign of ECASS (see Chapter I, page 9,\n     for details on BXA\'s efforts). Furthermore, in an effort to correct the deficiencies associated\n     with the current export licensing systems, Defense established the USXPORTS Interagency\n     Program Management Office in May 2000. USXPORTS\'s mission is to:\n\n                      " ... modemize the export control process through easy and timely\n                      access to pertinent export data electronically among participating\n                      agencies. This includes enhancing network systems and the\n                      protection of data across agencies.,,15\n\n     Defense allocated $30 million over a three-year period for USXPORTS to accomplish its\n     mission. An assessment of the USXPORTS office will be incorporated into a consolidated\n\n\n\n\xe2\x80\xa2\n     interagency OIG report regarding the various automated export licensing systems. This report\n     will be issued in March 2002.\n\n\n\n\n              15 USXPORTS System Modernization. Statement of Work, Office of the Undersecretary of Defense for\n     Policy, OUSD (P), OCtober 16.2000. page 1.\n\n\n\n\n\n\xe2\x80\xa2\n                                                          8\n\x0c. ,\n\n\n\n\n\n\xe2\x80\xa2\n       U.S. Department of Commerce                                                               FilUll Report IPE-14270\n       O(fice of Inspector General                                                                         February 2002\n\n\n\n\n                                          FINDINGS AND CONCLUSIONS\n\n       I.\t     BXA Has Made Progress on ECASS 2000+ Project\n\n       BXA has long needed to replace the current ECASS system to properly administer export control\n       laws and regulations. Many of the problems associated with BXA\'s prior attempts to redesign\n       ECASS were due to a combination of technical, planning, managerial, and budgetary hurdles.\n       However, since March 2000, BXA has been better able to focus its redesign efforts because it\n       hired a project manager and coordinated its IT planning and budgetary cycles. As a result, two\n       components of ECASS 2000+ should be ready for implementation in early to mid 2002.\n\n       A.\t     Appointing an ECASS 2000+ project manager\n               brought direction to the redesign effort\n\n       BXA\'s appointment of a project manager brought direction and stability to the redesign effort.\n       BXA first initiated efforts to redesign its current ECASS system in 1996 when it hired a\n       contractor to prepare four major planning documents 16 for the project. However, by 1998, BXA\n       still did not have a dedicated project manager or team for the effort. As a result, in our June 1999\n       report on the export licensing process, we recommended that BXA establish a project\n       management team, including a full-time project manager, to oversee development and\n       implementation ofBXA\'s new system as soon as possible. Thereafter, in March 2000 BXA\n       hired an ECASS 2000+ project manager to oversee an effort that had been mostly dormant from\n       early 1998 to early 2000.\n\n       Under the leadership of its ECASS 2000+ project manager, BXA has taken steps to ensure the\n       short-term and long-term success of the ECASS 2000+ project. These steps include:\n\n       .:.     following federal, industry and the Department\'s IT Enterprise Architecture Affinity\n               Group\'s guidance and processes for system design and development,\n\n       .:.     preparing initial system documentation, such as a Vision Document and Software\n               Requirements Specification,\n\n       .:.     hiring a contractor to oversee the integration of ECASS 2000+ components,\n\n\n\n\n                l&rhese documents included a business case analysis, business process reengineering StUdY9 infonnation\n       architecture, and a cost-benefit analysis.\n\n\n\n\n \xe2\x80\xa2                                                             9\n\x0c\xe2\x80\xa2\n    U.S. Department of Commerce                                                              Final Report IPE\xc2\xb7J4270\n    Office of Inspector General                                                                       February 2002\n\n\n\n    .:.\t    overseeing the development of two key subsystems of ECASS 2000+--the Simplified\n            Network Application Processing (SNAP)lElectronic Support Documentation system\n            (ESD) and the Export Enforcement Investigative Tracking system (see parts B and C\n            respectfully of this section for more detail on these systems), and\n\n    .:.\t    preparing project documentation, including a software development plan and data\n            migration plan.\n\n    Although we are pleased with the recent progress of the redesign effort, we want to emphasize\n    the need for BXA to aggressively pursue its ECASS 2000+ implementation over the next four\n    years. For ECASS 2000+ to be successful, it will need continued oversight by the ECASS 2000+\n    project manager as well as BXA\'s and the department\'s management team (see Section ill,\n    page 25).\n\n    B.\t     Exporters will soon be able to submit all license applications\n\n            and supporting documentation on-line\n\n\n    Although exporters can currently submit certain export license applications and other reporting\n    forms to BXA via the Internet, corresponding support documentation for a license application\n    has to be submitted separately as hard copy. These documents are then duplicated by BXA and\n    delivered via courier to the referral agencies, a procedure that adds time and expense to the\n                                                                                                    I7\n    license review process. To address these and other problems, BXA and the USXPORTS office\n    are developing a "front-end" licensing subsystem, known as SNAPIESD, that will allow\n    exporters to submit all types of license applications as well as the corresponding support\n    documentation on-line. IS USXPORTS estimates that it will spend about $1.0 million to\n    complete the SNAPIESD system.\n\n    According to documents provided by BXA, SNAP, which was first introduced to exporters in\n    February 1999, provides more than 3,500 registered users, representing over 1,700 companies,\n    the ability to submit certain export and re-export license applications, commodity classification\n    requests, and high performance computer notices to BXA on-line. In fiscal year 2000, BXA\n    received 61 percent of its license applications via the Internet. As a part of the redesign effort,\n    the capabilities of SNAP will be expanded to include other on-line transactions, such as the\n    submission of deemed export license applications and special comprehensive license\n    applications.\n\n             17USXPORTS is responsible for designing and deploying SNAPIESD, however, BXA\'s ECASS 2000+\n    project manager is the SNAPIESD project manager for the USXPORTS office. Once completed, USXPORTS will\n    tum the system over to BXA to house and maintain SNAPIESD at its computer site.\n             "Support documentation includes diagrams, schematics, or other information to describe the product to be\n    exported as well as additional information concerning the end user or end use of the product.\n\n                                                            10\n\n\x0c\xe2\x80\xa2\n\n     U.S. Department of Commerce                                                                Final Report IPE-14270\n     Oflju ofInspector General                                                                           February 2002\n\n\n\n     SNAP will be complemented by the development of ESD, an interactive data repository for\n     supporting documentation. ESD will give exporters the ability to electronically submit their\n     supporting documentation alongside their application. Currently, if an exporter submits its\n     license application on-line and mails its supporting documentation to BXA, it may take several\n     days for the two documents to match up with each other. Simultaneous submission of the license\n     and supporting documentation should assist licensing officers in expediting the overall\n     processing of license applications. Furthermore, by maintaining all of these documents in an\n     interactive data repository, exporters will no longer need to submit supporting documents more\n     than once for multiple license applications involving the same product.\n\n     ESD will also benefit the federal licensing agencies in their review of export license applications.\n     Specifically, the new subsystem should facilitate license review and reduce processing times by\n     eliminating paper processing both internally at BXA and at the licensing referral agencies. ESD\n     will also reduce the time and money spent by BXA support staff on scanning support documents\n     (after a case is closed), and copying and sending documents to other agencies via courier. In\n     addition, referral agencies will have real-time access rights to the document library.19\n\n     Once exporters can electronically submit all types of applications and supporting documentation,\n\n\n\n\xe2\x80\xa2\n\n     BXA anticipates on-line submissions will increase. To date, two prototypes of the system have\n     been prepared. The first was completed in August 2001 and included only the ESD system; the\n     second was completed in September 2001 and included a redesigned SNAP and the ESD system.\n     BXA and USXPORTS held several design peer reviews of the prototypes between June and\n     December 2001. 20\n\n     SNAPIESD was also demonstrated in October 2001 to exporters at BXA\'s UPDATE 2001\n     conference in Washington, D.C. At that time, only the commodity classification feature was\n     available for demonstration. BXA\'s ECASS 2000+ project manager expects all of the system\n     features to be available when SNAPIESD is scheduled for implementation in March 2002.\n\n     C.       BXA has selected software for its new investigative tracking system\n\n     A second ECASS 2000+ subsystem currently being developed is the Export Enforcement\n     Investigative Tracking system. Since March 2001, BXA\'s system integration contractor has been\n     analyzing user needs within BXA\'s enforcement community and evaluating commercial off-the\xc2\xad\n     shelf (COTS) case management software. The ECASS 2000+ project manager informed us that\n\n\n              "According to BXA, specific access by the referral agencies will be limited to the documentation relating to\n     those cases that have been referred to them by BXA.\n              "\'The peer reviews involved assessments of work products by future system users during the development\n     of those work products to identify defects requiring correction.\n\n\n\n\n\xe2\x80\xa2\n                                                            11\n\x0c\'.\n\n\n\n\n\xe2\x80\xa2\n     U.S. Departmem of Commerce                                                        Final Report IPE-14270\n     Of/i\xc2\xa3e of Inspector General                                                                February 2002\n\n\n\n     the investigative tracking system was selected as the first redesigned subsystem based on\n     available funding, the minimal functionality in the current investigative tracking system, and the\n     possibility that a COTS solution would be available.\n\n     The search for a COTS solution ended in August 2001 when a case management software vendor\n     was selected. According to BXA\'s Vision Document,2\' some of the features of the new\n     subsystem will better enable export enforcement personnel to:\n\n     .:.    create and open investigative cases based on leads;\n\n     .:.    manage, upgrade, refer, close, or request collateral assistance on investigative cases;\n\n     .:.    manage and track administrative and criminal case actions;\n\n     .:.    conduct advanced investigative case and suspect queries; and\n\n     .:.    capture and view supporting case documentation.\n\n\n\n\n\xe2\x80\xa2\n     BXA estimates the costs for the selected package, including software, hardware, and training, to\n     be around $600,000. The new investigative tracking system is scheduled to be implemented in\n     June 2002.\n\n     D.     BXA has begun linking strategic planning, budgeting, and IT planning\n\n     OMB and the Department require agencies to link their budgets with IT planning. However,\n     although BXA has prepared annual strategic plans in the past, it lacked a functioning process for\n     formulating its strategic procurement and IT goals. Recognizing how these functions needed to\n     be integrated, BXA established a Capital Planning Team in April 200 I, made up of staff from its\n     Offices of Planning and Evaluation, the Comptroller, and the CIa. As a result of the team\'s\n     formation, BXA was able to coordinate its planning and budgeting processes, including efforts to\n     redesign ECASS, for its fiscal year 2003 budget preparation. We believe that BXA\'s Capital\n     Planning Team should continue its efforts.\n\n\n\n\n            21ECASS 2000+ Vision Document, Bureau of Export Administration. U.S. Department of Commerce,\n     December 15. 2000.\n\n\n\n\n\xe2\x80\xa2                                                       12\n\x0c\xe2\x80\xa2\n\n     U.S. Department 01 Commerce                                                          Final Report IPE-14270\n     O{fice ofInspector General                                                                    Febnulry 2002\n\n\n\n     II.     BXA Needs Better Planning to Ensure Long-Term Success of the Project\n\n     One of the most critical elements of a systems development effort is planning. Despite the fact\n     that progress has been made on the ECASS 2000+ project, not enough time or resources have\n     been devoted to basic planning for the project. As a result, (1) BXA\' s initial business process\n     reengineering efforts are incomplete, (2) its cost estimates for ECASS 2000+ are outdated, and\n     (3) some of the ECASS 2000+ requirements, such as those for licensing and security, have not\n     been adequately specified and documented. We are making recommendations to address the\n     problems we identified.\n\n     A.      BXA\'s iniJial business process reengineering efforts were incomplete\n\n     The need for agencies to reassess their business processes before investing in the technology that\n     supports them was recognized in the Clinger-Cohen Act of 1996. Specifically, Section 5123(5)\n     of the act requires agencies to:\n\n             "[a]nalyze the missions of the executive agency, and based on the analysis, revise\n             the executive agency\'s mission-related processes and administrative processes as\n\n\n\n\xe2\x80\xa2\n\n             appropriate before making significant investments in IT that is to be used in\n             support of the performance of those missions.,,22\n\n     OMB reinforced this mandate by requiring that investments in major information systems\n     proposed for funding in the President\'s budget should, among other things, support work\n     processes that have been redesigned to reduce costs and improve effectiveness?3 As such, in\n     1997 the Department required BXA to conduct a business process reengineering (BPR) study\n     prior to approving BXA\'s request for funds to modernize its current export licensing system.\n\n     At that time, BXA hired a consulting firm to assist it in reengineering its critical business\n     processes. The consultant\'s final report,24 issued in June 1998, summarized the processes to be\n     reengineered and provided an implementation plan. Overall, BXA\'s first attempt to conduct a\n     reengineering study was constructive. More than 50 BXA subject matter experts participated in\n     defining and redesigning BXA\'s core business processes. Consequently, the study resulted in\n     several meaningful recommendations to improve the export licensing and export enforcement\n     processes. 25\n\n              "40 U.S.C. \xc2\xa7 1423.\n\n              230MB Memorandum, "Funding Information Systems lnvesnnents." October 25, 1996.\n\n              24Department of Commerce, Bureau ofExport Administration. Final Report: Process Reengineering and\n\n     Implementation Plan. Booz-Allen & Hamilton. June 22, 1998.\n              "The BPR study also addressed reengineering of BXA\'s processes that result in expon and internal\n     operating policies and procedures.\n\n\n\n\n\xe2\x80\xa2\n                                                        13\n\x0c\'.\n\n\n\n\n\xe2\x80\xa2\n     U.S. Departnunt of Commerce                                                          Final Report IPE\xc2\xb714270\n     Office of Inspector General                                                                   February 2002\n\n\n\n     The recommendations directed at improving meA\'s export licensing process included the\n     following:\n\n     .:.     Create an electronic environment for every license application and supporting\n             documentation?6\n\n     .:.     Establish an up-front screening team to verify the Export Control Classification Number\n             and help assign the action to the most appropriate licensing team.\n\n     \xe2\x80\xa2:.     Implement a team approach for processing complex actions to improve the quality and\n             coordination of the effort.\n\n     \xe2\x80\xa2:.     Differentiate licensing actions into "A" and "B" categories, based on the complexity and\n             need for technical depth, to most efficiently use BXA\'s technical expertise.\n\n     Although the study was clearly valuable in terms of defining and redesigning BXA\'s key\n     business processes, we found that it was (1) narrow in scope and (2) not adequately addressed by\n     BXA management. Specifically, only BXA-controlled processes were considered for redesign\n\n\n\n\xe2\x80\xa2\n\n     despite the fact that the Export Administration Act requires that BXA administer the interagency\n     dual-use export licensing process. When we questioned BXA as to why it chose to study only\n     BXA-controlled processes for redesign, we were told that the previous BXA management team\n     thought it would be too costly to perform an interagency review. However, BXA was unable to\n     provide us with any cost estimates to support that decision,\n\n     In addition, BXA did not adequately address the findings and recommendations of the study\n     when it was issued in 1998. As a result, during our current review, BXA was unable to provide\n     us with any justifications as to why some of the study\'s recommendations were accepted or\n     rejected. Furthermore, we found little evidence to indicate that BXA put into practice many of\n     the recommendations it claimed to accept. Because BXA did not address the broader interagency\n     export licensing process in its original BPR study or adequately address the recommendations\n     from the study, the future ECASS 2000+ system could potentially automate outmoded,\n     inefficient business processes (e.g., the export licensing process), and not consider meaningful\n     process improvements.\n\n     However, in the summer of 2001, BXA established an intemallicensing task force to review the\n     interaction between the licensing agencies and to generate ideas about how to improve the\n     interagency export licensing process. The task force provided a report to the Export\n\n            26As discussed previously in Section I, BXA is currently working with USXPORTS to implement this\n     recommendation through the SNAPIESD initiative.\n\n\n\n\n\xe2\x80\xa2\n                                                        14\n\x0c..\n\n\n\n\n\xe2\x80\xa2\n    U.S. Department of Commerce                                                     Final Report IPE-/4270\n      Office of Impector General                                                               February 2002\n\n\n\n      Administration\'s management team in August 2001 identifying six areas where improvements\n      might be made. We believe the establishment of this task force was a positive step in rethinking\n      how the interagency export licensing process could operate.\n\n      Furthermore, the USXPORTS office, which BXA participates in, has recently completed a BPR\n      analysis27 of the interagency dual-use export control process. The recommended BPR\n      improvements are based on requirements identified by six interagency focus groups, comprised\n      of representatives from Commerce, Defense, Energy, and State. The four major BPR\n      improvements identified by USXPORTS follow .\n\n      \xe2\x80\xa2:.    Broaden the electronic business exchange between industry and the U.S. government by\n             (1) registering individual companies and individuals, (2) creating a single point of entry,\n             and (3) submitting application data and technical specifications electronically.\n\n      \xe2\x80\xa2:.    Provide robust data retrieval by maintaining a single "parties of interest" list in the system\n             for all interested parties to tap into and provide tools for cumulative effect analysis.\n\n      \xe2\x80\xa2:.    Enhance the license review and analysis process by establishing an interagency review\n             team early in the license review process and improving interagency communication\n             technology.\n\n      \xe2\x80\xa2:.    Migrate to an unclassified data environment by creating an unclassified export licensing\n             environment.\n\n      In October 2001, the USXPORTS office briefed its Steering Committee, comprised of the\n      Deputy Assistant Secretary for Export Administration and various senior Defense officials, on\n      the proposed BPR recommendations. According to USXPORTS, the committee has approved\n      the reengineering recommendations, with slight modifications, and the next step is to determine\n      how to implement those recommendations.\n\n      Clearly, the dual-use export control process is an interagency process, and we support BXA\'s\n      involvement on the USXPORTS redesign effort to date. However, changes to current business\n      processes need to be made as soon as possible, before the ECASS 2000+ system requirements\n      are further specified. We recommend that BXA\'s new management team reevaluate the 1998\n      BPR recommendations, as well as recommendations from its internal task force, to determine if\n      any of the proposed process changes are still appropriate. In addition, BXA should continue to\n      work closely with the other licensing agencies to evaluate the interagency recommendations from\n\n             "USXPORTS Business Process Reengineering (Draft), Version 2.1, USXPORTS Program Office, August\n      28.2001.\n\n\n\n\xe2\x80\xa2\n                                                     15\n\x0c\xe2\x80\xa2\n    U.S. Department oj Commerce                                                           Final Report IPE\xc2\xb714270\n    Office of Inspector General                                                                    February 2002\n\n\n\n    the USXPORTS reengineering effort, which BXA participated in. Finally, it is imperative that\n    BXA make a decision about the recommendations from the two BPRs and the licensing task\n    force report, as soon as possible, so that the ECASS 2000+ project team can develop any new\n    major requirements for the licensing subsystem before it completes the Target Architecture (see\n    Section m, page 25, for details on BXA\'s Target Architecture).\n\n\n\n    In response to our draft report, BXA agreed with our recommendation to reevaluate and\n    determine whether any of the proposed changes outlined in BXA\'s 1998 BPR, the USXPORTS\n    BPR, or BXA\'s August 2001 internal licensing task force report should be factored into the\n    ECASS 2000+ design and requirements. Specifically, BXA reported that its new ECASS 2000+\n    user group, which began meeting on a bi-weekly basis in mid-December 2001, will address this\n    recommendation as a part of its duties.\n\n    B.      BXA needs to update its cost esti11Ultes\n\n    There is much guidance on the need for accurate and complete cost data throughout the life of a\n    project. For example, OMB requires updated cost-benefit analyses Z8 for all IT investment\n    decisions. In addition, a recent report from the Chairman of the Senate Governmental Affairs\n    Committee recommended that executive departments and agencies ensure that any cost-benefit\n    data used in investment decision making be accurate and complete. z9 Furthermore, GAO\n    guidelines emphasize that reliable cost estimates are essential for making effective IT investment\n    decisions. Specifically, GAO states that the cost-benefit, schedule, and risk information included\n    in an agency\'s analysis to justify the project, should be updated as project implementation\n    continues and as dollar amounts increase. 3o\n\n    Towards that end, BXA prepared a cost-benefit analysis in September 1998. 31 We believe this\n    analysis was a much needed first step for BXA and provided a catalyst for gaining support for its\n    ECASS 2000+ redesign effort. However, BXA has not updated that analysis since that time. As\n    a result, BXA\'s redesign is based on a cost-benefit analysis that is outdated both in terms of costs\n    and proposed requirement changes. Table 1 identifies additional features that make BXA\' s 1998\n    cost-benefit analysis outdated for the current redesign effort.\n\n              280MB Circular A-l30, November 3D, 2000. Although the OMB circular uses the tenn "benefit-eost"\n    analysis, this repon uses the more commonly used term "cost-benefit" analysis.\n              29Investigative Report ofSenator Fred Thompson on Federal Compliance with the Clinger-Cohen Act,\n    October 20. 2000.\n              \'\xc2\xb7Improved Management Practices Needed to Control Integration Cost and Schedule, General Accounting\n    Office, AIMD-99-25. December 1998.\n              31 BXA Cost Analysis Study, Bureau of Expon Administration. Septembet 9,1998.\n\n\n                                                         16\n\x0c\xe2\x80\xa2   U.S. Department of Commerce\n    Offree of Inspector General\n                                                                                         Final Report IPE\xc2\xb7I4270\n                                                                                                  Febraary 2002\n\n\n\n\n    Ta ble 1     Current F\tac to rs Ailectm2 1998 C ost- BenefiIt Analysls\n                                                                     I . AssumplIons\n                                                                               f\n                                          .\n\n\n                   1998 Assumptions                                      2001 Current Factors\n\n         ~\t    System operational by the end of               ~\t   System operational by the end of fiscal\n               fiscal year 2002.                                   year 2006.\n         ~\t    System based on a centralized                  ~\t   System based on a decentralized (web- .\n               architecture.                                       based) architecture.\n         ~\t    System located at Commerce                     ~\t   System based at some federal or public\n               headquarters.                                       facility.                        .\n\n\n\n\n         ~\t    System comprising many                         ~\t   System comprising software\n               commercial off-the-shelf products.                  development and commercial off-the\xc2\xad\n                                                                   shelf products.\n         ~\t    System based on 1998 business\n                                                              ~\t   BPR recommendations made in 1998\n               process reengineering\n                                                                   have not been completely addressed.\n               recommended changes.\n         ~\t    Old system to have minimal                     ~\t   Changes to the old system needed as a\n               support and upgrades while new                      result of delaying the system redesign\n               system is being developed.                          into fiscal year 2006.\n    Source: BXA\'s Cost AnalySIS Study, September 1998. and 010 AnalysIS.\n\n    BXA officials stated that limited resources (i,e.\xe2\x80\xa2 funding and staff) and time have precluded BXA\n    from updating its cost-benefit analysis. While BXA has recently increased its cost baseline for\n    ECASS 2000+ from $6 million in 1998 to $7.5 million in 2001, the increase was not based on a\n    detailed cost analysis of all planned system components. In addition, this increase did not\n    include security costs (e.g., Public Key Infrastructure) for the new system (see page 21 for details\n    on IT security needs). As a result, BXA does not know what additional funding will be needed\n    for system enhancements and security in the out years. To successfully complete ECASS 2000+\n    in a timely manner, we recommend that BXA determine what resources are needed in the short\xc2\xad\n    term (FYs 2002 and 2003) and long-term (FYs 2004 through 2006) and how to secure adequate\n    funding for ECASS 2000+. Consideration should be given to reallocation of resources if funding\n    is not adequate, or to an extension of the project timetable.\n\n\n\n\n                                                        17\n\n\x0c\xe2\x80\xa2\n    U.S. Department of Commerce                                                          Final Report IPE\xc2\xb714270\n    O(fU:e of InspecUJr General                                                                   February 2002\n\n\n\n\n    In response to our draft report, BXA indicated that it was obtaining an independent cost estimate\n    based on the proposed multi-year software development plan provided by its integration\n    contractor. Subsequently, BXA informed us that USXPORTS will provide integration contractor\n    expertise to accomplish its independent cost estimate sometime during the second quarter of\n    fiscal year 2002. In addition, BXA\'s response stated that as part of its ongoing dialogue with\n    USXPORTS, BXA will try to share resources to provide maximum value to the interagency\n    licensing community. Given that the fiscal year 2004 budget cycle is about to begin, we strongly\n    urge BXA to determine its full costs for its redesign effort as soon as possible.\n\n    C.      Some ECASS 2000+ requirements need to be validated and specified\n\n    Early requirements preparation will be key to the success of ECASS 2000+ over the next four\n    fiscal years. To determine the status of requirements preparation, we reviewed all relevant\n    documentation and interviewed specific users as to their participation in requirements analysis.\n    While we determined that BXA had adequate user involvement in the design of its SNAPIESD\n    and Investigative Tracking subsystems, we found minimal user involvement in requirements\n    preparation for the licensing subsystem. In addition, we found that the IT security requirements\n    had not been specified.\n\n    1.      User validation is needed for licensing subsystem\n\n    The success of software projects, such as ECASS 2000+, depends on adequately specifying\n    system requirements to meet operational needs. 32 Software errors are frequently attributable to\n    problems with or misunderstandings about user requirements, and these errors generally are the\n    most expensive to fix. Consequently, every reasonable effort should be made to precisely define\n    system requirements, and as early in the project as is feasible. 33 Despite this obvious caveat, we\n    found little evidence of user involvement in documenting the proposed ECASS 2000+ licensing\n    requirements. Figure 3 illustrates how users should be involved in requirements preparation.\n\n\n\n\n           "User requirements define the proposed components of a system.\n            "See. for example. Data Capture System 2000 Requirements and Testing Issues Caused Dress Rehearsal\n    Problems. U.S. Department of Commerce Office ofInspector General, OSE-I0846, January 1999.\n\n                                                         18\n\x0c\xe2\x80\xa2   U.S. Department of Commerce\n    Offu:e of Inspector General\n\n\n    F\'urure 3\n                                                                                                  Final Report IPE\xc2\xb7I4270\n                                                                                                           February 2002\n\n\n\n\n    I\n                                                                                                  Publication\n    I\n Data Collection                                                                                  And\n                                                                                                        Delivery\n                                                                 Revl_ and Revision\n           Uterature\n                                                                                                            Present\n             and               Preliminary\n        Documentation\n                          I-                                                                               To Users\n           Review\n                               Product                 Hold                                                  and           ,\n                               Generation             Group                                               Management\n                                                  Brainstorming\n                                                    Sessions\n                                                                          1                   I\n                                                                                                               T\n          Preliminary                                                  Revise              User\n                                 Generate               I                                                   Publish\n           MeeUngs                                                      User\n              and\n                                Preliminary\n                                   User\n                                                        I              Require-\n                                                                                  f-t   Review and\n                                                                                         Validation\n                                                                                                          Architecture\n          Interviews                                                                                        Products\n                                 Require\xc2\xad                               ments\n                                                    Conduct\n                                  ments             In-depth             As                                    ~   .\n                                                                       Needed\n      I Familiarization\n          Training        I-\n                                                   Individual\n                                                   Interviews\n                                                                                                            Populate\n                                                                                                           User Tools\n                                                                                                             and\n                                                                                                          Repositories\n\n\n\n\n\xe2\x80\xa2   Source: A Practical Guide to Federal Enterprise Architecture. ChiefInfonnation Officers Council, February 2001.\n\n\n    To detennine the actual extent of user participation in documenting BXA\'s requirements, we\n    interviewed all BXA personnel identified by the ECASS 2000+ project team as "users" involved\n    in the requirements process. The BXA users informed us that although they had talked about\n    various issues during the user group sessions, they did not systematically outline the future\n    licensing requirements of ECASS 2000+. Instead, the users emphasized that they spent time\n    documenting the current system functions and preparing a "wish list" of potential new system\n    features. The users expressed concern that BXA\'s IT personnel had outlined most of the\n    proposed licensing subsystem requirements without their input.\n\n    BXA\'s IT personnel agreed that they spent a lot of time documenting proposed licensing\n    requirements without user input. However, they indicated that they asked for licensing officials\n    to participate in identifying future licensing requirements but the individuals either were not\n    interested or not available. As a result, team members decided to obtain initial licensing\n    requirements from BXA\'s 1998 BPR study. Although we agree that the BPR study collected\n    requirements from experienced licensing officials at that time, some requirements may be\n    outdated and others may have changed since 1998.\n\n    In addition, we have concerns that BXA developed requirements without buy-in from current\n    referral agency users, including State and Justice. Both agencies have ECASS tenninals that they\n\n                                                            19\n\x0c\xe2\x80\xa2\n\n     u.s. Department of Commerce                                                    FinD/ Report IPE-J4270\n     Offi\xc2\xa3e ofInspector General                                                              February 2002\n\n\n\n     use to process license applications referred to them. However, BXA did not include them in any\n     of its user groups. During our discussions with representatives from both agencies, they\n     informed us that they would like to participate in BXA\'s future user group discussions on\n     licensing requirements.\n\n     Because of minimal user participation in defining the requirements for the licensing subsystem\n     (1) all requirements may not have been identified and (2) identified requirements may be\n     inaccurate or incomplete. Therefore, the system may not meet user needs when it is\n     implemented. BXA\'s ECASS 2000+ project team agreed that user involvement is critical for\n     defining user requirements and that more user involvement is needed for preparing the licensing\n     requirements. For example, the ECASS 2000+ Risk Tracking document, dated April 2001,\n     identified having "no business user group" as a high risk for the project that could result in a lack\n     of acceptance by the users of the new system.\n\n     While it would be inefficient to initiate a large-scale requirements specification process at this\n     stage in the project, we believe that the ECASS 2000+ licensing requirements need to be\n     properly validated by a representative sample of licensing users. The ECASS 2000+ project\n     manager agrees. Therefore, we recommend that BXA ensure that appropriate users, including\n\n\n\n\xe2\x80\xa2\n\n     those from the referral agencies, validate its system requirements for the licensing subsystem.\n\n                                      -~=2~Q""\'\';;;~;;;=--\n\n     BXA\'s response to our draft report agreed with our recommendation to ensure that appropriate\n     users, including those from the referral agencies, validate the system requirements for the license\n     subsystem. Specifically, BXA stated that its integration contractor will validate all requirements\n     through detailed use case reviews by the user groups in the multi-year development project.\n     However, BXA stated that it was inaccurate for us to report that the licensing requirements were\n     developed without user input. Specifically, BXA\'s response indicated that it was too early in the\n     process for full user involvement given that the detailed elaboration and construction of the\n     licensing subsystem is not scheduled until fiscal year 2003.\n\n     On the other hand, BXA\'s response stated that many of the high level requirements for the\n     licensing subsystem were taken from the 1998 BPR and additional requirements were gathered\n     from selected interviews. BXA also contends that the review of its December 2000 Software\n     Requirements Specification document by key business users confirmed the high level\n     requirements as defined. In addition, BXA indicated that the level of detail was expanded by\n     several redesign workshops where users both documented the current processes and the "to-be"\n     processes. Subsequently, the ECASS 2000+ team members drafted the initial use cases (how the\n     system and users are to interact) and then turned them over to the integration contractor.\n\n\n\n\n\xe2\x80\xa2\n                                                    20\n\x0c\xe2\x80\xa2\n    U.S. Department of Commerce                                                          FinIll Report IPE-14270\n    Office of Inspector General                                                                    February 2002\n\n\n\n    While we never stated that the licensing requirements were developed without any user input, we\n    maintain that there was minimal user involvement in this process. Furthermore, while we agree\n    that the requirements exercise performed by BXA users in 1998 was a valid starting point, BXA\n    changed its system design after its 1998 review and ultimately some of its requirements, making\n    a revalidation of requirements necessary. Based on interviews with BXA personnel identified by\n    the ECASS 2000+ project team as "users" involved in the requirements process and our review\n    of limited documentation available on this matter, we determined there was minimal user\n    participation in defining the requirements for the licensing subsystem. Finally, we want to point\n    out that in September 2001, the Department\'s IT Architecture Affinity Group informed BXA that\n    it should have been further along in completing its system requirements and requested that BXA\n    complete its target architecture (which includes user input and validation) no later than the\n    second quarter of fiscal year 2002. Therefore, it was not unrealistic to expect BXA to have been\n    further along in documenting and validating its licensing requirements at the time of our review.\n\n\n    2.      IT security requirements need to be specified and documented\n\n    Although BXA has prepared detailed functional requirements for different parts of ECASS\n    2000+, it has not specified the necessary security requirements to ensure the integrity of mission\n    critical information. Security requirements are essential to any redesign effort because they\n    define the security measures, and they are a precursor to developing target architecture.\n    Departmental guidelines require each agency to define and identify, as early in the design phase\n    as possible, security requirements for ensuring the confidentiality, integrity, and availability of\n                          l4\n    critical IT resources. Specifically, these guidelines identify 10 security areas that need to be\n    addressed during system design (see Table 2).\n\n\n\n\n           "The Department\'s IT Affinity Group recommends that departmental agencies use the National Oceanic\n    and Abnospheric Administration\'s IT guidelines for requirements analysis and architecTure preparation.\n\n\n\n\n\xe2\x80\xa2                                                       21\n\x0c\xe2\x80\xa2   U.S. lkpartment of Commercl!t\n    Oftke oflmpector General\n                                                                                         F/Iull R<!portIPE-14270\n                                                                                                   February 2002\n\n\n\n\n                     Table 2        IT Seeurity Areas To Be Addressed During SYllteD!.\n                                    Desi\n\n\n\n\n                     Souree:\t The National Oceanic and Atmospheric Administration Infonmltion\n                              Technology Architecture, IT Security. Vct"llion 2.1. June 2001.\n\n    We raised this issue continuously during our review with BKA officials,including the ECASS\n    2000+ project manager, and departmental IT personnel. The Department\'s IT Affinity Group,\n    established to oversee systems architecrureby departmental agencies, also raised concerns with\n    BKA that the securityrequirerncnts had not becnspecified. During the course of oOtreview,\n    BKA prepared some initial security requirements and estimated that they would be completed by\n    December 2001 (although it should be noted that the original date of completion was\n    September 20, 2001). The ECASS 2000+ project team members informed us that although\n    preparing security requirements is a priority task, it is also a large undertaking. They believe that\n    the tearn lacks a4equate resources to complete this taskin a timely manner. Specifically, only\n    one part-time tearn member has been given the responsibility for IT security and preparing the\n    target systems architecture.\n\n    Given that ECASS 2000+ will be a web-based system connected to the Internet, adequate\n    security is needed to protect the increased transfer of business proprietary information.\n    Specifically, ECASS 2000+ will implement new Internet services and provide electronic access\n    for users of BKA information and services. To address this need for upgraded security, a key\n    component of ECASS 2000+ will involve Public Key Infraslructure (PKI) technology. PKl is a\n    technology designed to protect Internet electronic transactions through the use of digital\n    certificates and encryption keys. Digital certificates arc used to verify and authenticate the\n    validity of each party involved in an Internet transaction, and encryption keys are used to secure\n    the data.\n\n    Without specifying its proposed security requirements, including but notlimited to PKI, BKA\n    cannot adequately design its new system ordetetrnine how much additionalfunding for security\n\n\n\xe2\x80\xa2                                                       22\n\x0c\xe2\x80\xa2\n    u.s. Department of Commerce                                                    Final Report IPE\xc2\xb714270\n    Offi\xc2\xa3e ofInspector General                                                              February 2002\n\n\n\n    might be needed in the outlay years. Therefore, we recommend that BXA document its security\n    requirements as soon as possible and determine how to fund them, including whether it should\n    reallocate existing resources or make them a high funding priority.\n\n\n\n    In response to our draft report, BXA agreed with our recommendation to document its security\n    requirements and determine how to fund them as soon as possible. Towards that end, BXA\n    indicated that it will implement a robust IT security action plan in fiscal year 2002 by redirecting\n    existing resources. In addition, OMB has approved a $1 million increase for BXA\'s IT security\n    program (including the implementation of PKI) in fiscal year 2003. Furthermore, BXA\'s\n    ECASS 2000+ program manager recently informed us thilt BXA intends to direct 10 percent of\n    the ECASS 2000+ fiscal year 2003 budget to security-related activities.\n\n    However, BXA\'s response disputed our finding that it had not prepared security requirements for\n    ECASS 2000+. Specifically, BXA stated that the ECASS 2000+ IT security requirements were\n    specified at the time of our review, albeit at a high-level. However, BXA indicated that such\n    requirements were not detailed in the December 2000 Software Requirements Specification\n    because they represented an initial view based on the team\'s knowledge at that time.\n    Furthermore, BXA\'s response argued that these requirements could not be finalized until\n    (1) the Department solidified its network infrastructure, and (2) BXA\'s integration contractor\n    proposed the ECASS 2000+ system softwarelhardware. We disagree that most of the detailed\n    security requirements could not have been completed based on the two reasons cited by BXA.\n\n    First, BXA\'s ECASS 2000+ system and the Department\'s network infrastructure have separate\n    and distinct security requirements. While it is important for ECASS 2000+ to properly interface\n    (including access controls) with the Department\'s network, BXA is not restricted by the\n    Department\'s network infrastructure. Furthermore, the Department\'s requirements for its\n    network infrastructure are at a higher and more generic level than BXA\' s detailed requirements\n    for its system. As such, all 10 areas listed in Table 2 of this report could have been addressed\n    without knowing the final departmental network infrastructure. For example, given that the\n    Department\'s network infrastructure is just one component of access controls BXA needed to\n    address, BXA could have started outlining and documenting the other access control components\n    for its new system.\n\n    Second, BXA should have prepared its detailed security requirements prior to its integration\n    contractor proposing the ECASS 2000+ system software/hardware. The contractor could have\n    reviewed and incorporated those requirements into the proposed ECASS 2000+ system hardware\n    and software. During the course of our review, ECASS 2000+ project team members and the\n\n\n\n\n\xe2\x80\xa2                                                    23\n\x0c\xe2\x80\xa2\n     US. Department of Commerce                                                 Fiool Report IPE\xc2\xb714270\n     Of!iu 0/ Inspector General                                                          February 2002\n\n\n\n     systems integration contractor agreed that security requirements could have provided valuable\n     input for the design of the proposed system hardware and software.\n\n\n\n\n\xe2\x80\xa2\n\n\n\n                                                    24\n\n\x0c\'.\n\n\n\n\n\xe2\x80\xa2\n     U.S. Depat1mem of Commene                                                           Final Report IPE\xc2\xb714270\n     OffiJ:e o[Inspector General                                                                  February 2002\n\n\n\n\n     III.\t   BXA Needs to Strengthen its Modernization Effort by Implementing Established IT\n             Management Best Practices\n\n     In June 2001, the Secretary of Commerce emphasized that management of all departmental IT\n     projects needs to be strengthened. 35 Toward that end, departmental agencies are required to\n     upgrade their management structures to ensure that established management processes and\n     documentation are in place early in systems development efforts. As of September 30,2001, the\n     ECASS 2000+ project still lacked an adequate (1) configuration management process, (2) risk\n     management process, (3) software acquisition training program for its project team members,\n     (4) project management plan, and (5) target architecture. These are all key system management\n     tools needed to better manage the redesign effort.\n\n     The project management tools identified above have long been recommended by OMB\'s CIO\n     Council,36 GAO,37 and departmental IT guidelines. 38 The ECASS 2000+ project manager\n     acknowledged that these management tools should be instituted, but stated that the lack of\n     resources dedicated to this project have made it difficult to manage and oversee the redesign\n     effort, in addition to implementing the management tools in a timely manner. The ECASS\n\n\n\n\xe2\x80\xa2\n     2000+ project team currently is comprised of a full-time project manager (who also participates\n     as a full partner with the USXPORTS office up to one day a week) and three part-time federal\n     employees (who are also assigned to other IT duties within BXA not directly affiliated with the\n     redesign effort). Because the current project team members had multiple duties, the project\n     manager had to (1) enlist its ECASS maintenance contractor to help design the new system\n     (while still continuing to maintain the current system) and (2) rely heavily on its system\n     integration contractor for the design, implementation, and oversight of the redesign project.\n\n     BXA\'s senior management needs to address the resource constraints and ensure that the ECASS\n     2000+ project is not put at risk because it lacks adequate management processes and system\n     documentation. Table 3 lists each of these management tools and the specific effects of not\n     having a particular tool in place.\n\n\n\n\n             "Strengthening Commerce Information Technology Management, Memorandum to Secretarial Officers and\n     Heads of Operating Units, June 13, ZOO!.\n             36A Practical Guide to Federal Enterprise Archileclure, Chief Information Officers Council, February\n     ZOO!.\n             "For example. see report, Executive Guide: Improving Mission Performance Through Strategic\n     Information Management and Technology, Leamingfrom Leading Organizations, GAO\xc2\xb794-II5, May 1994.\n             3\'Department of Commerce Information Technology Planning and Investment Review Maturity Model, July\n     ZOO!.\n\n                                                         25\n\x0c\xe2\x80\xa2         U.S. Department of Commerce\n          Df./ke ofInspector General\n\n\n\n    T a ble 3    Management T00 Is Needed for E cA SS 2000+ Project\n                                                                                                     Final Report IPE\xc2\xb714270\n                                                                                                              February 2002\n\n\n\n\n                Management Tool                              Impact of Not Having Management Tools in Place\n\n                  Configuration                Without a configuration management process in place, BXA cannot track access and\n                   Management                  control changes to its requirements and system components. According to BXA\'s\n      A process used to (l) control and        April 200 I Risk Tracking Document, BXA had no in-house configuration\n      track access and changes to system       management experience, placing the project at risk of having insufficient in-house\n      components, (2) coordinate work          control over software development and inadequate accountability. BXA informed us\n      among developers, and (3) provide the    that it attempted to implement configuration management software, but as of\n      means for building system baselines      September 30, 200 I, this software had not been installed nor had an individual been\n      for testing and release.                 assigned to oversee configuration management. BXA\'s system integration contractor\n                                               had prepared a draft configuration management plan as of late September 200 1, but\n                                               the ECASS 2000+ project manager had not appl\'Oved the plan by the conclusion of\n                                               our fieldwork.\n              Risk Management                  Without a risk management process in place. BXA does not know what potential risks\n      A process for ensuring that current      exist that might affect the project and how to address those risks in a timely manner.\n      and potential problems, threats, and     BXA\'s contractor did submit a risk management plan on September 27, 2001, but the\n      vulnerabilities of a systems             plan lacked the details needed to identify the vulnerabilities.\n      development effort are identified and\n      addressed in a timelv manner,\n       Software Acquisition Training           With the exception of the ECASS 2000+ project manager, the project team lacks the\n      A process to ensure that current         training required to oversee software development of ECASS 2000+. Although the\n      project staff members have received      project team members have had some initial software acquisition training, the team\n      adequate training to properly oversee    has been too busy to complete follow-up training through BXA\'s systems integration\n      all software acquisition and             contractor.\n      development efforts.\n          Project Management Plan            Without a Project Management Plan, the ECASS 2000+ project team does not know\n      A document that tracks the progress,   when each phase of the project is due to be completed or even whether there have\n      accomplishments, and other areas       been project delays. BXA\'s April 2001 Risk Tracking Document also highlights this\n      requiring attention for each system    risk. While BXA\'s systems integration contractor prepared a draft Project\n      development effort                     Management Plan on September 25, 2001, it lacked several sections, including a\n                                             proposed milestone schedule (a basic element of anv Droiect nlanl.\n             Target Architecture             Without  a target architecture, the ECASS 2000+ project team cannot adequately\n      A group of documents, including        ensure that all components of the new system adhere to the same proposed standards\n      (I) Technical Reference Model,         and technology. Several of the required documents have not been completed, such as\n      (2) Standards Profile, (3) Gap         the technical reference model and standards profile. Although BXA is currently\n      Analysis, and (4) Data Migration Plan, attempting to detine the architectural standards and technology for ECASS 2000+,\n      which define new and future processes two of its subsystems (SNAPIESD and the Investigative Tracking system) will be\n      through data, applications, and        implemented in early 2002 and might require technology changes once the final\n      technology changes.                    architecture standards have been selected. In addition, without the target architecture,\n                                             BXA cannot determine where ECASS 2000+, including the two subsystems currently\n                                             being implemented, should be located if it does not remain at the Department\'s\n                                             Springfield Computer Center.\n    Source: Commerce Office of Inspector General.\n\n\n\n\n                                                                   26\n\x0c\xe2\x80\xa2\n    U.S. Department of Commerce                                                              Final Report IPE\xc2\xb714270\n    Of./i\xc2\xa3e ofInspector General                                                                        Feb71UlTY 2002\n\n\n\n    Conclusions\n\n    BXA has requested, but not received, additional positions from the Congress for the redesign\n    effort. As a result, senior BXA managers need to consider alternative ways to provide adequate\n    personnel and funding resoutces to ensure that established management tools are in place for\n    ECASS 2000+ and to keep the project on schedule. 39 This may include reallocation of existing\n    resoutces within BXA, as necessary. Given the shortcomings and inadequacies of the current\n    export licensing system, it is imperative that BXA senior managers oversee the modernization\n    project and dedicate appropriate resources to it in order to ensute that its revised fiscal year 2006\n    deadline is met.\n\n    In addition, BXA senior managers, including BXA\'s CIO, should periodically meet to discuss\n    ECASS 2000+ development efforts, including any delays or major problems with the project.\n    One vehicle BXA managers could use to provide project oversight is BXA\'s IT Steering\n    Committee. In August 1997, this committee was established as a tool for BXA\'s senior\n    managers to periodically review all IT projects. However, since June 2000 this committee has\n    only met once-in October 2001 after our fieldwork was completed.\n\n\n\n\n\xe2\x80\xa2\n    Furthermore, BXA needs to strengthen its redesign effort by (1) implementing its configuration\n    management process, (2) implementing its risk management process, (3) completing all\n    necessary software acquisition training, (4) revising and approving the project management plan,\n    and (5) completing its target architecture. Finally, BXA needs to make a decision about where its\n    new system should be located no later than the second quarter of fiscal year 2002.\n\n\n\n    In response to our draft report, BXA agreed with out various recommendations to strengthen its\n    management of the ECASS redesign effort. Specifically, BXA informed us that its IT Steering\n    Committee met twice in October 2001 to approve the multi-year ECASS 2000+ software .\n    development plan, and that the committee plans to hold quarterly meetings in the future to\n    address both ECASS 2000+ and any other IT issues. BXA\'s response also stated that in an effort\n    to keep BXA managers and potential users of the new system regularly updated on the system\'s\n    development, its managers receive a one to two page biweekly update of all major ECASS 2000+\n    activities, and a new ECASS 2000+ website was established in February 2002 for all potential\n    users.\n\n\n\n             \'\'Initially, BXA\'s target date for implementing ECASS 2000+ was fiscal year 2003. That target date has\n    now been extended to fiscal year 2006, and BXA still does not know whether the full system will be completed\n    within that timeframe.\n\n                                                           27\n\n\x0c\xe2\x80\xa2\n\n     U.S. Deparlmenl of Commerce                                                    Fi1UJ\'ReportIPE-14270\n     O{fil:e ofInspector General                                                            FebT\'lUlI\'Y 2002\n\n\n\n     In addition, BXA\'s response stated that its integration contractor has instituted an active risk\n     management process and begun to implement a configuration management process using the\n     Rational toolset. BXA also indicated that it expects to provide all of the ECASS 2000+ team\n     members on-line access to these processes in February 2002. Moreover, subsequent to our draft\n     report, the ECASS 2000+ project team members have reportedly completed the necessary\n     software acquisition training. Specifically, in November 2001 the team conducted a self\xc2\xad\n     assessment of the software acquisition processes currently in place and the steps necessary to\n     implement ongoing process improvements. Furthermore, BXA\'s response stated that the ECASS\n     2000+ program manager will revise and approve the program management plan during the\n     second quarter of fiscal year 2002.\n\n     Finally, BXA\'s response indicated that completion of the target architecture will be a priority\n     task during the second quarter of fiscal year 2002. As a part of that effort, BXA is currently\n     conducting a data center study and hopes to have a final candidate list in February 2002. At that\n     time, BXA anticipates visiting the proposed sites and making recommendations to BXA\n     management as to where its new system will be located. BXA hopes to have a final decision on\n     this matter during the third quarter of fiscal year 2002.\n\n\n\n\n\xe2\x80\xa2\n\n     Although BXA agreed with our recommendations to implement established IT management best\n     practices to strengthen its modernization efforts, it took exception to our characterization that due\n     to resource constraints, the ECASS 2000+ project manager had to enlist the help of its ECASS\n     maintenance contractors and heavily rely on its integration contractor for the design,\n     implementation, and oversight of the redesign project. While BXA may have intended to use its\n     ECASS maintenance contractor for various tasks associated with the redesign effort, we were\n     informed differently during our review by both ECASS 2000+ project team members and\n     ECASS maintenance personnel. Given the age of ECASS, it is our understanding that BXA\'s\n     maintenance contractors are kept fairly busy "maintaining" the current system and ensuring that\n     it remains operational. As such, our report was simply highlighting the need for dedicated full\xc2\xad\n     time personnel to work on the redesign effort. Furthermore, while we agree that BXA\'s ECASS\n     integration contractor has played and will continue to playa key role in the development of\n     ECASS 2000+, a project manager needs adequate in-house staff to oversee all of the sub-tasks\n     associated with a system development project.\n\n\n\n\n\xe2\x80\xa2\n                                                    28\n\n\x0c\xe2\x80\xa2\n\n     U.S. Department of Commerce                                                  Finlll Report IPE-I4270\n     OtfiJ:e of Inspector General                                                           February 2002\n\n\n\n     IV.     Interagency Cooperation on Planning, Design, and Development Has Been Mixed\n\n     Our 1999 report on the export licensing process cautioned BXA that without improved\n     coordination between the licensing agencies, the simultaneous development of multiple and\n     distinct export licensing automation systems would continue. Thus, we recommended that BXA\n     coordinate its system development efforts with the other export licensing agencies. As a part of\n     that coordination effort, we recommended that BXA encourage these agencies to establish an\n     interagency steering committee to review the automation portion of the export licensing process,\n     from coordinating common system architecture requirements to determining how interagency\n     resources could be used to fund and implement a new system. Since then, BXA has participated\n     in and coordinated with some of USXPORTS automation efforts currently underway; however,\n     BXA has not involved the other licensing agencies in its own redesign effort beyond SNAPIESD.\n\n     According to OMB Circular A-BO, federal agencies should ensure that improvements to existing\n     information systems and the development of planned information systems do not unnecessarily\n     duplicate existing information systems. However, BXA managers have not, to date, seen fit to\n     include the other licensing agencies in its efforts to modernize ECASS.\n\n\n\n\n\xe2\x80\xa2\n\n     Joint BXA and USXPORTS initiatives\n\n     In an attempt to work more closely with Defense, BXA\'s ECASS 2000+ project manager also\n     serves as the Commerce project manager for Defense\'s USXPORTS. As such, the project\n     manager participates as a full partner with the USXPORTS office and dedicates up to one full\n     day a week to USXPORTS activities. We believe this arrangement is an important first step for\n     both agencies to better coordinate their automation efforts. In addition, as mentioned previously,\n     there are two important USXPORTS initiatives currently underway in which BXA is a key\n     participant.\n\n     First, BXA and USXPORTS are jointly working on SNAPIESD, which will enable exporters to\n     concurrently submit all export license applications and supporting documentation electronically.\n     The USXPORTS office is funding the project, and BXA\'s ECASS 2000+ project manager is\n     responsible for overseeing the development of the project for USXPORTS. Once completed,\n     USXPORTS will tum the system over to BXA to house and maintain SNAPIESD. We believe\n     the partnership shown on this project has demonstrated the benefits of agencies working\n     cooperatively together.\n\n\n\n\n\xe2\x80\xa2\n                                                   29\n\n\x0c"\n\n\n\n\n\xe2\x80\xa2\n     U.S. Department of Commerce                                                                Final Report IPE-I4270\n     Office of Inspector General                                                                         February 2002\n\n\n\n     Second, both BXA and the USXPORTS office are working to improve the automated interface\n     between BXA\'s and Defense\'s export licensing systems by establishing a dedicated T-I\n     communication line (unclassified but sensitive) between the two agencies. A T-lline is a\n     dedicated high-speed connection that will enable faster and more secure transmission of data\n     between the two agencies. According to USXPORTS, security testing for the T-lline began in\n     January 2002 and will continue until March 2002 when the line is to become fully operational to\n     support SNAPIESD. Finally, we would like to reemphasize that BXA personnel participated in\n     USXPORTS\'s BPR efforts for the dual-use licensing process. Clearly, the dual-use export\n     control process is an interagency process, and we commend BXA\'s involvement in the\n     USXPORTS reengineering efforts to date.\n\n     Developing licensing requirements in isolation\n\n     As we mentioned earlier in Chapter II, Section C, BXA is developing requirements for ECASS\n     2000+ without input or validation from the current referral agency users (e.g., State and Justice)\n     or potential referral agency users (e.g., Defense). Both State and Justice licensing officers use\n     ECASS to process license applications referred to them. As such, they should be included in the\n     development of licensing requirements for the new system. In addition, given that Defense is\n     currently evaluating whether to migrate its export licensing data to an unclassified environment,40\n     it is even more imperative that Commerce and Defense work together to develop common\n     licensing requirements. In fact, according to BXA\'s April 2001 ECASS 2000+ Risk Tracking\n     document, the lack of sharing and validation of user requirements among the interagency\n     community might result in BXA developing a system that will not efficiently and effectively\n     process export license applications.\n\n     Other system alternatives need to be explored\n\n     Because BXA is developing its licensing system independently, it may not be adequately\n     evaluating other system alternatives for its license processing needs beyond enhancing the\n     interfaces with the existing licensing systems. For instance, two other alternatives that the\n     USXPORTS office has identified to improve the export licensing process include a hybrid\n     "system-of-systems" and a single federal dual-use licensing system.\n\n\n\n\n              \'" According to Defense, its expon license data is primarily unclassified, however, Defense was uncenain\n     whether this unclassified data remained unclassified in the aggregate. As a result, Defense recently completed an\n     Operational Security study that concluded that the compilation of Defense\'s unclassified expon license data does not\n     need to be classified based on the aggregation of the data and should be treated as sensitive but unclassified data.\n\n\n\n\n\xe2\x80\xa2\n                                                           30\n\x0c\'.\n\n\n\n\n\xe2\x80\xa2\n     U.S. Departmenl of Commerce                                                      Fitull Report IPE-14270\n     O(fice ofInspector General                                                                 Febl1Ul1}\' 2002\n\n\n\n     .:.\t    Hybrid System-of-Systems: A system to house all data submitted by industry in a single\n             database, but each export license agency would build its own licensing subsystem unique\n             to its agency\'s needs and functions .\n\n     \xe2\x80\xa2:.     Single Federal Dual-Use Licensing System: A single integrated system to replace all\n             federal export licensing automated systems supporting the dual-use export license review\n             process.\n\n     The hybrid system-of-systems alternative seems to offer a more integrated export licensing\n     process environment than currently exists. In fact, at least one of the features of this alternative\n     is currently being developed. Specifically, while the hybrid system of systems option includes a\n     central repository for all data records pertaining to an export license, the SNAPIESD subsystem\n     that BXA and USXPORTS are already developing will in effect be a central repository for all\n     electronic supporting documentation. We believe this effort could easily be expanded to\n     incorporate the rest of the license record, including (1) license application data, (2) referral\n     history, and (3) final disposition of case.\n\n     However, BXA has expressed concern that the creation of a central repository for all license data\n\n\n\n\xe2\x80\xa2\n     records would eliminate its ability to review license applications upfront for completeness before\n     the applications are referred. We believe that BXA\'s concern can be addressed, if necessary. As\n     the electronic support documentation system is currently planned, the interagency licensing\n     agencies will only have specific read-only access to the documentation relating to those cases\n     that have been referred to them by BXA. Therefore, it should be technically feasible to put\n     similar controls on license applications so that BXA can initially review the applications before\n     giving the referral agencies access to those cases in the system that they have asked to review.\n\n     At a minimum, we believe that BXA and the other export licensing agencies can effectively use\n     one data repository to provide user access to licensing subsystems and support tools while\n     allowing agencies to maintain control of their respective databases. Besides the efficiency gains\n     associated with this alternative, a central repository of all license data will also provide a tool for\n     cumulative effect analysis which can be used in processing future relevant licensing cases.\n\n     In addition, while we believe there would be definite savings and efficiency gains, such as\n     merging computer facilities, standardizing hardware and software, and reducing systems support\n     staff, in having a single federal dual-use licensing system, we realize that three of the six export\n     licensing agencies-Defense, Energy, and the CIA--currently operate in a classified\n     environment. Thus, this alternative may be harder to achieve at this time. However, if Defense\n     migrates its export licensing data to an unclassified environment in the near future, this\n     alternative would potentially be feasible for Commerce, Defense, Justice, and State, at a\n     minimum, and should be adequately evaluated by BXA and the other export licensing agencies.\n\n                                                       31\n\x0c"\n\n\n\n\n\xe2\x80\xa2\n    u.s. Deparlment of Commerce                                                  Final Report IPE\xc2\xb7I4270\n    OIJiu 011nspeclor General                                                             February 2002\n\n\n\n    As such, BXA should explore whether Defense could use the ECASS 2000+ licensing subsystem\n    for its export licensing needs.\n\n    Conclusions\n\n    According to BXA, 86 percent of license applications are referred to other agencies for review,\n    As a result, understanding how each agency contributes to the licensing process is essential for\n    planning the redesign of ECASS. Although BXA has taken some steps to participate and\n    coordinate with Defense to improve the current automated systems that support the export license\n    process, BXA does not have a clear definition of how it will continue to work with Defense or\n    the other licensing agencies. Therefore, we recommend that BXA work with the other export\n    licensing agencies to develop a written agreement between BXA and the license referral\n    agencies, including the Departments of Defense, Energy, Justice, State, and the Treasury, and the\n    CIA. The agreement should outline both the responsibilities of each party involved and how best\n    to coordinate BXA\'s ECASS 2000+ redesign effort with the other agencies\' automation\n    initiatives.\n\n                                    -~=:3~\'Q~\'\'\'\';CiOi=--\n\n\n\n\n\xe2\x80\xa2   BXA\'s response to our draft report indicated that it partially agreed with our recommendations to\n    improve interagency cooperation and coordination on its ECASS redesign effort. Specifically,\n    BXA\'s response stated that it has provided Defense with copies of all of its ECASS 2000+\n    developmental products (e.g., Vision Document, Software Requirements Specification\n    document, and the initial library of developed use cases) in an effort to avoid duplication, and\n    that BXA continues to explore with Defense the option of using ECASS 2000+ for Defense\'s\n    export licensing needs. However, when further questioned on this matter, BXA informed us that\n    it has not asked Defense to use BXA\'s new ECASS 2000+ for Defense\'s licensing needs nor\n    does BXA believe it is appropriate to do so. We disagree. Given that Commerce has the\n    legislative mandate to administer the interagency dual-use export licensing process and the fact\n    that a recent security review concluded that Defense could migrate its export licensing data to an\n    unclassified environment, it is an opportune time for Commerce to aggressively explore with\n    Defense the feasibility of it using ECASS 2000+ for its export licensing needs.\n\n    Furthermore, BXA\'s response stated that it is already working with Defense\'s USXPORTS\n    office to develop a central repository for all electronic supporting documentation (SNAPIESD),\n    and that the development of more appropriate interfaces to enhance the data flows within\n    agencies and data sharing will be determined by a number of factors, both technical and non\xc2\xad\n    technical. While we commend BXA for working with Defense to develop SNAPIESD, we do\n    not believe that this effort goes far enough. Specifically, only one referral agency (State)\n\n                                                    32\n\x0c\xe2\x80\xa2\n\n     U.S. Ikpartment of Commerce                                                           FilUll Repon IPE-I4270\n     O(fi\xc2\xa3e of Inspector General                                                                    February 2002\n\n\n\n     currently has the ability to centrally view all application data, agency comments and the final\n     disposition on cases that are referred to it.41 However, by creating a central repository for all\n     unclassified export licensing data (including, at a minimum, license application data, referral\n     history, and the final disposition of a case), all referral agencies could have access to this data.\n\n     Finally, while meA\'s response stated that it has a Memorandum of Agreement in place with\n     Defense committing Commerce resources to improving the interagency licensing processes\n     through the coordination of automation initiatives, BXA later informed us that it does not have\n     such an agreement in place with Defense. While we understand that there is a letter from the\n     former Under Secretary for Export Administration to the Principal Deputy Under Secretary of\n     Defense (Acquisition Technology and Logistics), dated June 30, 2000, indicating BXA\'s\n     willingness to participate and coordinate with Defense\'s efforts to improve the current automated\n     systems that support the export license process, the letter does not outline specifically how BXA\n     will continue to work with Defense or the other licensing agencies once the SNAPIESD project\n     is complete.\n\n     BXA\'s response also notes that Defense\'s efforts (through its USXPORTS office) to fully engage\n     all of the export licensing agencies to improve the interagency export licensing systems have not\n\n\n\n\xe2\x80\xa2\n\n     been fully successful. However, it is our understanding that one of the key factors that hindered\n     USXPORTS ability to fully engage the export licensing agencies (most notably State\'s Office of\n     Defense Trade Controls, which oversees the munitions export licensing process) was the fact that\n     it had no authority to do so. However, BXA, which has the legislative mandate to administer the\n     interagency dual-use export licensing process, does have the authority and responsibility to\n     aggressively work with the referral agencies to improve the various automated dual-use export\n     licensing systems. Therefore, we again reiterate our recommendation for BXA, in coordination\n     with the referral agencies, to develop a written agreement ensuring that dual-use export licensing\n     systems are developed, integrated, and modernized without duplication. Furthermore, the\n     agreement should outline the responsibilities of each agency involved in the process to ensure\n     maximum interagency cooperation and coordination in the licensing of controlled exports. At a\n     minimum, BXA should develop a central repository for all unclassified data records pertaining to\n     an export license. The repository should have appropriate access controls while also allowing the\n     agencies to maintain control of their respective databases, as appropriate.\n\n\n\n\n            41 BXA informed us that it previously developed subprograms for Defense and the CIA to view agency\n     comments and final disposition of cases, but it is not sure if the subprograms are being used anymore.\n\n\n\n\n\xe2\x80\xa2\n                                                        33\n\x0c\xe2\x80\xa2\n     U.S. Department of Commerce                                                  FilUl1 Report IPE\xc2\xb714270\n     Of./i\xc2\xa3e of Inspector General                                                         February 2002\n\n\n\n\n                                        RECOMMENDAnONS\n\n     We recommend that the Under Secretary for Export Administration take the following actions to\n     better ensure the success of the ECASS 2000+ project:\n\n     1.\t    Reevaluate and deternrine, as soon as possible, whether any of the proposed changes\n            outlined in mCA\'s 1998 BPR, the USXPORTS BPR, as well as mCA\'s August 2001\n            internal licensing task force report, should be factored into the design and requirements\n            for ECASS 2000+ (see page 15).\n\n     2.\t    Deternrine what resources are needed in the short-term (FYs 2002 and 2003) and long\xc2\xad\n            term (FYs 2004 through 2006), how to secure adequate funding levels, and whether it is\n            necessary to extend the project timefrarne (see page 17).\n\n     3.\t    Ensure that appropriate users, including those from referral agencies, validate the systems\n            requirements for the licensing subsystem (see page 20).\n\n\n\n\n\xe2\x80\xa2\n\n     4.     Document security requirements as soon as possible and deternrine how to fund them,\n\n            including whether BXA should reallocate existing resources or make them a high funding\n\n            priority (see page 23).\n\n\n     5.\t    Convene a meeting periodically of BXA senior managers, including the CIO, to discuss\n            ECASS 2000+ development efforts, and any anticipated delays or major problems with\n            the project (see page 27).\n\n     6.\t    Implement the ECASS 2000+ configuration management process during the second\n            quarter of fiscal year 2002 (see page 27).\n\n     7.\t    Implement the ECASS 2000+ risk management process during the second quarter of\n            fiscal year 2002 (see page 27).\n\n     8.\t    Ensure that the ECASS 2000+ project team completes the necessary software acquisition\n            training during the second quarter of fiscal year 2002 (see page 27).\n\n     9.\t    Revise and approve the project management plan during the second quarter of fiscal year\n            2002 (see page 27).\n\n     10.\t   Complete the target architecture and select a location to house BXA\'s new export\n            licensing automation system during the second quarter of fiscal year 2002 (see page 27).\n\n\n\n\n\xe2\x80\xa2\t                                                  34\n\x0c\xe2\x80\xa2\n     U.S. Depar1ment of Commerce                                                  FilUll RepOI1 IPE-14270\n     Of/ke of Inspector General                                                             February 2002\n\n\n\n\n     11.\t   Explore whether Defense could use the ECASS 2000+ licensing subsystem for its export\n            licensing needs (see page 32).\n\n     12.\t   Work with the dual-use export licensing agencies to develop a central data repository for\n            all data records pertaining to an export license reviewed by these agencies. The\n            repository should have appropriate access controls while also allowing the agencies to\n            maintain control of their respective databases (see page 32).\n\n     13.\t   Develop a written agreement between BXA and the license referral agencies, including\n            the Departments of Defense, Energy, and State, and the Treasury, and the CIA outlining\n            the responsibilities of each party involved in this effort and how best to coordinate the\n            ECASS 2000+ redesign effort with each agency\'s automation initiatives (see page 32).\n\n\n\n\n\xe2\x80\xa2\n\n\n\n\xe2\x80\xa2\t                                                  35\n\x0c\xe2\x80\xa2\n     U.S. Department of Commerce                                                          Fitwl Report IPE\xc2\xb7I4270\n     OfJU:e of Inspector General                                                                   February 2002\n\n\n\n                                                                                                 APPENDIX A\n\n                   STATUS OF 1999 INTERNAL CONTROL RECOMMENDATIONS\n\n     In its 1999 report on export licensing,42 we made a number of recommendations related to\n     internal controls for the current ECASS system. In response to our recommendations, BXA\n     indicated in some cases that it would build specific internal controls into its new licensing\n     system, ECASS 2000+, to address a control problem that it could not correct in the current\n     system. Those controls planned for ECASS 2000+ are also highlighted below, but we did not\n     complete a review of the internal controls planned for the new system. Our 1999 internal control\n     recommendations and the status of BXA\' s steps taken in regard to the recommendations follow.\n\n     Recommendations for the Bureau of Export Administration\n\n     28.\t    Take the following actions necessary to implement or strengthen the internal\n             controls for ECASS, including:\n\n             (a)   Provide\' a duplicate read-only tape to the Under Secretary for Export\n\n\n\n\xe2\x80\xa2\n                   Administration every 90 days, highlighting any changes that might be made by\n                   lower ranking BXA personnel.\n\n                   Status: Closed. BXA sends backup tapes to the departmental computer center in\n                   Springfield, Virginia, on a regular basis. According to BXA and center personnel,\n                   the tapes are appropriately safeguarded and available for review, if needed, by the\n                   Under Secretary for Export Administration. We believe that BXA\' s actions meet\n                   the intent of our recommendation.\n\n             (b)   Establish criteria for reopening closed cases in the system.\n\n                   Status: Closed. BXA decided not to establish criteria for reopening cases because\n                   there are too many variables to be considered when reopening a case. However.\n                   BXA issued a memorandum reemphasizing that each office must submit a written\n                   justification to the Office of Exporter Services (OEXS) for opening a closed caSe.\n                   OEXS informed us it will send back any request that contains insufficient\n                   information describing why the case should be reopened. If information describing\n                   why a case should be reopened is sufficient. OEXS will determine whether the case\n\n\n             42/mprovements Are Needed to Meet the Export licensing Requirements ofthe 2l" Century. U.S.\n     Department of Commerce Office of Inspector General, IPE- I 1488, June 1999.\n\n\n\n\n\xe2\x80\xa2\t                                                         36\n\x0c\xe2\x80\xa2\n    U.S. Department of Commerce                                                    Final Report IPE-14270\n    Office ofInspector General                                                              February 2002\n\n\n\n                  should be reopened based upon the export regulations and specific circumstances.\n                  As such, we believe that this action meets the intent of our recommendation.\n\n           (c)\t   Ensure that the electronic audit trail is more complete.\n\n                  Status: Open. According to BXA, it will institute an improved audit trail in the\n                  ECASS 2000+ system. Specifically, audit trails will be maintained in the new\n                  system for data modifications, ensuring data integrity by implementing version\n                  control for all BXA work items and business entities. However, until these changes\n                  are implemented, the recommendation will remain open.\n\n           (d)\t Have the database administrator assign data element responsibilities to\n                  individuals throughout the organization.\n\n                  Status: Open. BXA acknowledged that this recommendation addresses\n                  responsibility and accountability for authorizing access to data elements and thereby\n                  ensuring the integrity of the data elements. As such, BXA indicated that it will\n                  enforce this internal control in ECASS 2000+ through a role-based permission\n\n\n\n\xe2\x80\xa2\n                  scheme that ensures access to data by authorized individuals. Until these changes\n                  are implemented, the recommendation will remain open.\n\n           (e)\t   Establish an official database review board.\n\n                  Status: Open. BXA informed us that it plans to officially establish a Milestone\n                  Achievement Review Board in the second quarter of fiscal year 2002. In the\n                  interim, board members have been proposed and their duties have been enumerated.\n                  However, according to BXA, the board will only address issues related to the new\n                  ECASS 2000+ system, not the current ECASS system. Given that BXA must rely\n                  on its current ECASS system for another four years (until fiscal year 2006), we\n                  believe this board should also address issues relevant to the current system as well.\n                  Therefore, this recommendation will remain open.\n\n           (I)\t   Establish a standards development group to develop appropriate database\n                  standards, including data definition, data documentation, passwords, and\n                  writing and testing programs.\n\n                  Status: Open. Through the design of the ECASS 2000+ system, BXA intends to\n                  implement an ongoing configuration management process, including configuration\n                  identification, control, status accounting, and auditing. We believe that this action\n                  will meet the intent of our recommendation once it is fully implemented.\n\n                                                     37\n\x0c\xe2\x80\xa2\n\n\n\n\n\n\xe2\x80\xa2\n     U.S. Department of Commerce                                                 Final Report IPE\xc2\xb7I4270\n     O{fil:e ofInspector General                                                          February 2002\n\n\n\n\n            (g)\t Designate a team to periodically review the internal controls and risks\n                 associated with BXA\'s system, about once a year or when conditions materially\n                 change.\n\n                   Status: Closed. As a part of BXA\'s new IT security program, BXA completed a\n                   risk assessment of the current ECASS system in December 2001. While BXA\'s\n                   actions meet the intent of our recommendation, we want to reiterate the need for\n                   BXA to conduct these assessments on an ongoing basis.\n\n            (h)\t Require the database administrator to reorganize the database every year.\n\n                   Status: Closed. BXA personnel informed us that they have and will continue to\n                   evaluate the space requirement needs of the existing system. As a result, BXA\n                   personnel emphasized that there is no database reorganization that needs to be done\n                   at the current time. Within the next few months, BXA\'s database administrator will\n                   detennine whether archiving data is necessary and, thus, whether reorganization of\n                   the database might be needed. BXA personnel stated that this process will continue\n\n\n\n\xe2\x80\xa2\n                   as data in the database is archived. We believe that BXA\'s actions meet the intent\n                   of our recommendation.\n\n            (i)\t   Consider the feasibility of one data entry clerk\'s work being reviewed by\n                   another before it goes into the database, or contract this function out.\n\n                   Status: Closed. According to BXA, this recommendation would be too costly to\n                   implement. More important, BXA believes that a continued increase in on-line\n                   applications by users will make this recommendation moot. We cannot confirm that\n                   our recommendation would be too costly to implement, but we agree that a\n                   continued increase in on-line applications will make our recommendation moot.\n                   Since our 1999 review, on-line submission of applications has grown to more than\n                   61 percent. In early 2002, BXA is scheduled to implement improvements to its\n                   existing SNAP system, which should increase more on-line applications. As a\n                   result, we believe that our recommendation is no longer necessary.\n\n\n\n\n                                                    38\n\n\x0c\xe2\x80\xa2\n    u.s. Depat1ment of Commerce                                                  Final Report IPE\xc2\xb714270\n    Office of Inspector General                                                           Febru4Fy 2002\n\n\n\n           G)\t   Reestablish the old \'\'User Meetings" between the operations staff, licensing\n                 officers, and information technology staff to discuss issues and identify and\n                 resolve problems quickly.\n\n                 Status: Closed. BXA has held user meetings as part of the requirements elicitation\n                 for the ECASS 2000+ system. In addition, current ECASS users will be\n                 accommodated on an as needed basis as issues are identified. We believe that these\n                 actions meet the intent of our recommendation.\n\n           (k)\t Take steps to reduce the number of duplicate codes in the database, including\n                an extensive archiving effort to retire a large number of duplicate\n                identification numbers.\n\n                 Status: Open. Although BXA archives records when necessary, the archiving\n                 function does not solve the problem of duplicate codes in the database. BXA\n                 personnel stated that the manual entry of codes causes duplications in the database.\n                 However, BXA informed us that this issue will be addressed in the design of\n                 ECASS 2000+. Until this issue is resolved, the recommendation remains open.\n\n\n\n\xe2\x80\xa2          (I)   Update the current continuity of operations plan to include aU appropriate\n                 manual and system contingency processes as soon as possible.\n\n                 Status: Open. According to BXA, it plans to issue a revised continuity of\n                 operations plan in February 2002. However, BXA personnel emphasized that\n                 funding to implement the plan, if needed, has not been available. As such, BXA\n                 needs to determine what funding is needed, including whether BXA needs to\n                 reallocate existing resources or seek additional funding, if the plan is to be\n                 implemented. Until these issues are resolved, the recommendation remains open.\n\n           (m)\t Establish a risk management team to identify and assess the severity of risk in\n                BXA\'s database environment, or have a contractor perform the risk analysis,\n\n                 Status: Closed. BXA has established a risk management team to identify, track,\n                 and mitigate process risks for both ECASS and ECASS 2000+. Furthermore, the\n                 ECASS 2000+ project team members completed training on the Software\n                 Engineering Institute\'s Continuous Risk Management program in November 2001.\n                 As a result, this recommendation is closed.\n\n\n\n\n                                                    39\n\x0c     U.S. Department of Commerce                                                    Final Report IPE\xc2\xb714270\n     Of./U:e ofInspector General                                                             February 2002\n\n\n\n             (n)\t Send a \'\'network message" to emphasize that all database problems should be\n                  reported via the hotline.\n\n                   Status: Closed. BXA has sent a network message to let users know that they can\n                   inform the database administrator of database problems. We believe that this action\n                   meets the intent of our recommendation.\n\n             (0)\t Prepare a BXA system security plan.\n\n                   Status: Open. Although BXA has a draft security plan for its current system, it has\n                   not been reviewed or approved by BXA management. As a result, BXA lacks a\n                   working security plan for ECASS. In addition, we would like to point out that\n                   although BXA has not yet prepared its security requirements for ECASS 2000+, it\n                   recently hired a contractor to prepare a security plan for the new system in fiscal\n                   year 2002. Until BXA management approves the plan for the current system, the\n                   recommendation remains open.\n\n             (p)   Perform periodic security reviews.\n\n\n\n\n\xe2\x80\xa2\n                 Status: Open. While BXA has performed partial security reviews of database\n                   access controls, it has not performed complete security reviews of its operations.\n                   BXA plans to begin performing complete security reviews in September 2002.\n                   BXA\'s action partially meets the intent of our recommendation.\n\n             (q)\t Officially assign the security duties of BXA\'s computer system to BXA\'s\n                  security officer.\n\n                   Status: Closed. BXA has officially assigned its security responsibilities to an IT\n                   Security Officer. In addition, it recently designated an alternate security officer.\n                   BXA\'s actions meet the intent of our recommendation.\n\n             (r)\t Provide all ECASS users with current security training.\n\n                   Status: Closed. BXA has implemented Security Standard Operating Procedures for\n                   ECASS users. Each new user is required to read this guide and sign a certificate\n                   vouching for that fact. We believe that BXA\'s action meets the intent of our\n                   recommendation.\n\n\n\n\n\xe2\x80\xa2\t                                                    40\n\x0c\xe2\x80\xa2\n     U.S. Department of Commerce                                               Final Report IPE-14270\n     Office ofInspector General                                                         February 2002\n\n\n\n\n            (s)\t Develop a communication link to immediately notify the Springfield Computer\n                 Center of terminated or transferring employees so that system access can be\n                 promptly revoked or modified, by the end of each working day.\n\n                  Status: Closed. BXA has instituted a standard form to be completed when\n                  employees leave BXA, which is immediately e-mailed or faxed to the account\n                  administrator at the Department\'s Computer Center in Springfield, Virginia.\n                  ECASS access is also a part of the sign-out process when employees leave BXA,\n                  ensuring that the ECASS access manager can cancel employee ECASS accounts\n                  before they leave BXA. The account administrator at the departmental center stated\n                  that BXA is providing the necessary information in a timely manner. We believe\n                  that BXA\'s actions meet the intent of our recommendation.\n\n            (t)   Restrict the number of BXA employees with flIe manager access.\n\n                  Status: Closed. BXA has designated-and we agree-three individuals to have file\n\n\n\n\xe2\x80\xa2\t\n                  manager access. Specifically, the database administrator and two other technical\n                  staff members will perform database operations and backup tasks. We believe that\n                  BXA\'s action meets the intent of our recommendation.\n\n\n\n\n\xe2\x80\xa2\t                                                 41\n\x0c    U.S. Department of Commerce                                                 Final Report IPE\xc2\xb714270\n\n    Of./U:e ofInspector General                                                          February 2002\n\n\n\n\n                                                                                      APPENDIXB\n\n                                             List of Acronyms\n\n\n    BPR                      Business Process Reengineering\n    BXA                      Bureau of Export Administration\n    CIA                      Central Intelligence Agency\n    CIO                      Chief Information Officer\n    CITRB                    Commerce Information Technology Review Board\n    COTS                     Commercial-Off-the-Shelf\n    ECASS                    Export Control Automated Support System\n    EXCON                    Export Control System\n    FORDTISffPS              Foreign Disclosure and Technical Information System!\n                             Technology Protection System\n    GAO                      U.S. General Accounting Office\n    IT                       Information Technology\n    OC                       Operating Committee\n\n\n\n\xe2\x80\xa2\n    OEXS                     Office of Exporter Services\n    OIG                      Office of Inspector General\n    OMB                      Office of Management and Budget\n    PINS                     Proliferation Information Network System\n    PKI                      Public Key Infrastructure\n    SNAPIESD                 Simplified Network Application ProcessinglElectronic Support\n                             Documentation System\n    TECS                     Treasury Enforcement Communications System\n    USXPORTS                 U.S. Export Systems\n    WINPAC                   Weapons Intelligence, Nonproliferation, and Arms Control\n\n\n\n\n\xe2\x80\xa2                                                   42\n\x0c0,.\n\n"\n\n\n\n\n\xe2\x80\xa2\n       U.S. Department of Commerce                                                                                    Final Report IPE\xc2\xb714270\n       Offi<:e of Inspector General                                                                                            February 2002\n\n\n\n                                                                                                                                  APPENDIXC\n\n                                                           Agency Response\n\n                                                                                    _ _ S\'T\'AJD DIPlIIA1\'MEIIr OF""""\'"\n                                                                                    ... a.....--..yfDr IbpaI\'c n           1IiIi",\n\n                                                                                    -""\'\'\'\'\'\'\'\'\'\'\'\n                                                                                     Jauuary 22. 2002\n\n\n\n\n                        MEMORANDUM FOR JOHNNIE FRAZIER\n                                       INSPECTOR GENERAL\n\n                        FROM:                    Kamdh L     ~\n                        SUBJECT\n\n                       The BuRau ofE>part _                   (DX") applOCi=s the opportwuly to """"""\'" on the Clffice\n                       of.1IJspcctorGeDeml\'s draft n:porI eatitleQ, "\'BXANceds to SIrcngthc:n lts ECASS Modernizabon\n                       Effixts to Em=: ~-Tenn Succ:css oftbo Projcot (IPB-I4270)." BXA ...... _ "\'" twvomade\n                       progn:sson tbeECASS 2(J()(}-rcdesigo cftort. We have outliDed additiOll8l act:I0IlS taken since the\n                       concIJJs:ioo ofyour study that demcmsu:ate oo:r commioneat 10 ensure the long-tam succ:ess ofour\n                       """\'81\'\xc2\xad\n                       BXA\'s comments ate iDcludcd as two attachments to ttus:m.e:mo:andum:. (1) comments on the\n\n\n\n\n\xe2\x80\xa2\n\n                       report\'s l\'eICOIIUIlCDdaons., .and (2) dccaili:d. commems OD dlD reporl1.CXt. BXA also bas toc1udcd l1li\n                       .Appc:ndix CODIa:ming addlbaD.al doeumeotation tbs:t was not available prior 10 tbc compleCioD of the\n                       slUdy.\n\n                       If you have any furtbcr questioas c:ono:miog BXA\' $ commeuts., please         contact   Miriam Cobeo"\n                       Dim:Iorof_ _ 0I1(202)482-1900.\n\n\n\n\n\xe2\x80\xa2                                                                       43\n\x0c\xe2\x80\xa2\n\n     U.S. Department of Commerce                                                                               Final Report [1\'\xc2\xa3\xc2\xb714270\n\n     Of.{ke of Inspector General                                                                                        February 2002\n\n\n\n\n\n                             BXA. 0",_.,...,. 011 ECASS 2000+ Report Rae 1M \'DMWlD1ioDs\n\n\n\n\n                                              mj_\n                 _          *"dp!lgp 1: Reev_andde1ermiDe. as SOCD as pouible, whc:oboranyoflhe\n                 pl\'ClpC>9<d c:!>aDs=I 0IIlIin<d in BXA\\ 1998 B _ . - . Reenginoering (BPR). !be\n                 USXl\'ORTS BPR, as well .. BXA\\ August 20011manallicensing WI< force tqlOrt, obouk1 be\n                 fact<nd imo!be deoisn and                   for ECASS 2IlOO+.\n\n                 As=-    lbi. J"""!I!nrnd\xc2\xb7ti"" will be addrrsoed ond cIi:IcuIDemed by lho: ECASS :lOOO+ User\n                 Group that _     oa a bi-w<eJdy baois..\n\n                 ~.........mepda_ 2; Determjne wbalJelOlllces are _       in Ibe      _-tam(FY ,2002lO>d\n\n                 20(3) 8Ild kmg-ta:m (FY \xe2\x80\xa2 2004 and 2005). how to occare a<IoqnaIe fundiog kvell. 8Ild whelhu\n                 it is necessary 10 cmod Ibe prajoct limo m.m..\n\n                 AgRO. BXA i. in Ibe process nf ablaming .. iDdepeDdent coot estimate baoocI on the JllIlPOIOd\n                 muIti-yar ooftwate develtJpmeut plan provided by oar inleplion <ODlI8CUl<.ln addilioa. .. pal\n                 of our ongoins dialogue with USXl\'ORTS. we <:ontinue to look forwayo to iihaR: l<SlllII<eS ond\n                 enmunge reur;e to pRWide IDlWmum value to abe Imengency JiceDsing cnmmpnjty.\n\n                 Ret M\'Ml w\' 1atkm 3: Eo.stE Ihat appropriate uac:rs.. 1DC1ading Chose from tefa:ral ageocics.\n                 validelbe systmIS requilemeDlS for the license ~\n\n\n\n\n\xe2\x80\xa2\n               AgRO. SevenI1trlerra1 ageocios will ponicipole in lho: bela tosIing of Ibe new SNAP sysIem. 1n\n                 addition, BXA will invite these opcies 10 plIIIicip8le in llSCt ""I1llrem<:nI va1idation scssiOllS\n                 fe< the licenae oubsysrem. Tbc USXPORTS inIeragoDcy n=\'o _\n                 diaJogne aDd also provide additional roquiJ\'emenI$.\n                                                                                         can focilitale Ihi\' oopg\n\n\n                 R_ _....... 4: DgeummlsecurityroqnilemallS .. SOCD as pouibk aodddawi... bow\n                                                             WsIin& RSOIInlea or- _ . hiib\n                 \'" fimcllhem, indlMting wbethe< BXA sIloaId rea1IOC8lO\n                 fllDdiDg prioIity.\n\n                 BXA has aRady     _0<1            aDd priaritized "",,1IIity roquilemenlS IOSUIling from IT security\n                 oeIf     mrnlS and GAO audit reonJts. BKA has iIIIpletllCll10d \xe2\x80\xa2 robust IT IOCUlity aeti<m plan\n                 iii FY 2002 by \'"\'l1irr:<:ting <Xialing reoom<:ea (see Appendix 1). Tbc 0fIi0e ofM.. aam-\' aod\n                 Bndge< (OMB) has appmwcl a $1 millioa _                  for BXA\\ IT oecurity program ill FY 2003.\n\n                 He \'Odl "1!ad-.5: ConvtllO \xe2\x80\xa2 meding periodically of BXA IOIliorwsnaguo. iIlc1nding lho:\n                 Ctief IDfCl<lll8llCIQ 0I\'lil:er (CIO), 10 _  ECASS 2IlOO+ de\\\'eIopmem eff..... aod any\n                 anlic:ipaIod delayo or wajor pmbIc:wo with Ibe project.\n\n                 AgRe. The BXA Jnfunnatioo TecImoIogy S1=iDg Comwittol: (ITSC) is cowpooed. oflbe\n                 Bureau\\                        ,includingthe CIO. The Commineemet twia: in Oerobct 200110\n                 apptl>\'ie lho: IIllIl1i-year BCASS 2000+ IIOftware devolopment plan (See Appendio 2 for a copy of\n                 the IIOftware deveIopmom plan). rrsc qnanerly weedUS\' are plarmod to - . _ ECASS\n                 2IlOO+ and any _,ofoanabon 1OdmoIogy iosues.1n addition, BXA\\ oeaior _                    =<:i"" a\n                 .... to two P"Sl\'\n\n\n\n\n\xe2\x80\xa2\n                                                                  44\n\n\x0c\'.\n\n\xe2\x80\xa2\n     U.S. Department of Commerce                                                                            Final Report IPE-14270\n     Office of Inspector General                                                                                     FebTlUlry 2002\n\n\n\n\n                 biw<ddy updab:: of all nuYor ECASS 2OOOf. adivibcs. A DCW ECASS:zooo,. Wei> lite wiD\n                 be avaiIaIJIo \'" aD polellIiai ..... in Fd>roary 2002. AD project lII1ifacIs, including\n                 ~ ofnew~ wiD be availablalhrough Ibio websiIIl.\n\n                  "--\'end....... " lmp!emeot lila ECASS 2OOOf. configllnllioo         lQIlM-\' _             dmins\n                  the _ qaarler of fiscal year 2002\xc2\xad\n\n                 Agree. BXA\'s iDlegnllioo """"""\'" h>s bep 10 implement Ibio _           using the RiliOlllll\n                 lODIs<t IIIld wiD provide web acoess 10 all ECASS 2000+ _ members in February 2002.\n\n                 RN \'\'\'9f\'\'wJ,\'ion ,~ Implemept the ECASS 2000+ riR management process                durina: cbe\n                 _      quarter of fiscal year 2002.\n\n                 Agree. BXA\'s integration cootllUUl has an aetille risk managerrcnt proce$$ in place.llIIld liViD\n                 oxpand -tbroagh lbe RatiooallOOlset -ill! availability \'" all ECASS 2000+ team IDCIIlb<n in\n                 Fd>roary 2002. This will allaw the team "\'!lave a ceuttal tepOSitory to IIllIlUIge all icl\xc2\xablliiie<l\n                 risks.\n                 R""""""\'"            8. Ellsure IbaI the ECASS 2000+ p<OJOCl team compk:tos the ....,.....,.\n                 software acquisiIiOll trllUIing during Iba second qU8lU:r of fiscal year 2002.\n\n                 Ag=.1bis IIUlingwas ~in_2001.\n\n                 R_""""""",, ,. _               IIIld approve the program 00...._ \' plan        durin&   the _\n                 qumtm" of fiscal year 2002.\n\n                 Agree. The ECASS 1\'roglam MllDager will =-i.. IIDd approve the progr;IIll man\'V"\'eDl\n                 plari during the second qUilder of FY 2002.\n\n                 A_nil.      h ..... 10: CompIdc the lOIgelarcltttedure llIld select a\n                 DeW aport IIc:eDSDg  _\n                                                                                        _011     to bc.oae BXA"\n                                                Oyslenl during the ll<COIld quarter of fiscal year 200Z (ace p88e\n                 25).\n                 Agree. CompIelioo ofl!lc WJet mdri""".... is apriority _ doriDgthe secon4 ",",,",,"ofdlis\n                 fiscal year. In addi1ioo, a D.... CeI= Study is underway. with a final caD<Ii_1ist e>q>oote<I in\n                 Febroary 2002. BXA pc:nom>cl willlhea 0<bcdu1e oile visi.., c:ouchr:t inIt:rviews. llIld make\n                 K<\' ""    ,rllIIj"", to m... gemen~ A linaI decisiOll CllIl be ~ Wring the _           qoancr of\n                 FY2002.\n\n                 _ , . . r1e1!cm U: ExpIOR:        -.r       Dcrensc could    \'* the    ECASS 2OOOf. IiceIlsing\n                 -)ISlam for its """"" Iilzming_\n\n                 W. bavo)lll>Vidocll!lc Dopoltmelll ofDefoDso (DOD) with copies of all cIovelopmoatpocb:tB.\n                 IIDd we C<IIIIinae 10 explOR: the opdoo ofOOD using our O)lSlam for I.. """"" tioonsing-\'\n                 _,lhotdocisioo ...... with 000.\n\n\n\n                                                                 2\n\n\n\n\n\xe2\x80\xa2                                                                    45\n\x0c.\xc2\xad\n\n\n\xe2\x80\xa2\n     u.s. Department of Commerce                                                                                Final Report IPE\xc2\xb714270\n     Office of Inspector General                                                                                         February 2002\n\n\n\n\n                  a_DC         \'_12:        Wad< with lbedual..... expaltlioensiDgapcioslOl!IoveJop._\n                  data IepllOiuJIy fuo: aD data records portainiDg to aD oxpart Iic:alse leviewod by Ibesc .....,aoo.\n                  1bc -)\'BlaB sbouId have appcoJIIiaIc acc:as colllnll& wbile also aDowing IIle 8jlODCieo 10\n                  maintain coocrol of cheirrespecti.ve dat&rM\n\n                 This wed< ill pattiaDy llllderway, with the Simplified NOIWOrl< Applicalioo l\'rocc:ssIEIoctc\n                 S-m.g Doc.\'D"\',atjoo (SNAPIESD) project. wIUcb ill fuDdod by USXPORTS ia """\'P\'""tioo\n                 wid>BXA. Tbe tedmicallibrarywillbouae aD suppo;tmg d"nn....tiOllllS&OCia1<d with aD\n                 expca_ OJ w<:lI .. _               1\xc2\xab addilionaI iDfomwion ftom all ftfoml8rdos A D _\n                 ~ a1Ieady have 8CC<:SS to \xc2\xa3CASSo wbicb will COlIlin"" wid> !be DOW ECASS.\n\n                 Tbe deve\\opmelll at IIIOIe approprillIo\n                 doIa sbaring will be determined by \xe2\x80\xa2\xe2\x80\xa2_\n                                                           _aces      to _         die data flows witlun AgOlIOieo aDd\n                                                                 at lac:tc<s, both toeImicaI and _\n                 ReMIt. ,....MJp.LNI 13: Deve10pa wriU.en agreementbetweeo BXA aodlhe tic=screfmal\n                 agenciex, induding Ibe Dr:p8dm<.uIa of Def. .... EneIgy, and Slale, !be Treasuty, aDd Ibe\n                 CIA 0UlIiDiDg lbe ""P"IJSibilitios at each party iavolved in Ibis effo<t aDd bow_to\n                 _ ! b e ECASS 2000+tcdesiga effuo:t_ each agmcy\'s auIOlDlItioniDitioti....\n\n                 Partially Asnoe- BXA bas a Memonmdnm of Apemen. in pi""" wid> DOD (USXPORTS) Ihat\n                 COIIlIIIiI>Commeaa: """""""" to improve _ _ Iioensing processes lbroullh aJORIinalicll\n\n\n\n\n\xe2\x80\xa2\n\n                 at 8lII<llllalion _   .... Ahbough USXPORTS .... attelIlpl<d to OIlll"8O all ftfenal "!l"""\'i\'"\n                 ...... elforu havo1Kl!, as yel, been _ l y sua:aslul. BXA would prererlO build on ....\n                 worl:inl: partDCDbip with DOD, tbmagIl USXPORIS, to achieve the c:ooaIinalion of "\'-00\n                 _ _ ralherlban exec:uIe _              -=to separately.\n\n\n\n\n\xe2\x80\xa2                                                                    46\n\x0c    \xe2\x80\xa2\n\n\n\n\n\xe2\x80\xa2\n        U.S. Department of Commerce                                                                                 Final Report IPE-I4270\n        Office of Inspector General                                                                                          February 2002\n\n\n\n\n                                    BXA J)etaIIrjI c . _ u t s 011 ECAl>ll2OllOf. Repaot TI!Il\n\n\n\n                     fumtb PJ!!!!lPh\' The seo= sbouId Ilale tbal BXA electronically 1nIlSmit& validalled\n                     hceasiDg iDfoanalion to CUsIamJ    0\'\'\'\'\xe2\x80\xa2dedi"""\'<l56K data !iDe.\n\n                    \'m!m\' 1as!1i!\'il!!!m\xc2\xa3!! of1!l!RS!lllb lprea\xc2\xa2 DI1riDg ita 1ifClimc. ECASS has been upgraded to\n                    pomDt lDlIIUIll1. eIe<:lrom<:. and optical_ =ognilion data CIlIZ)\' of U"""\'" oppIicariolls for\n                    e:q>ort and te-export. commocity cl..sjlieatioos , special comprehensive aod _       export\n                    licenses. and agri<:uIlurc uoouse excepcion no-\'\n\n                    Rgun: 2 impues tbal Customs directJYUIICS ECASS         sobs-.        This ill not coo=. BXA\n                    ekctrooic:alJy _      .. validalled Iic:cllsiDi iDioImalion to CUsIamJ over. dcdical<d 56K data\n                    line.Fi_     2 also impIics tb"llhe _       Depat"""\'"  uses.   T -1 line to ac:=o ECASS._\n                    ..,.,..... ECASS llm>ogh BXA pm_4iaI-up W_OIIS.\n\n\n\n                    Fjpdinp and cmyJoMg$ Fjnt RqIJrct It is DOt clear what is meant by me fira bulIel which\n                    ..... tbal we  =   usiDg the Depattweul~ ap aod devdopmeot pn>cesse$. !lCASS _               i.\n                    using iDcmtry _ _ ail\' aod development PI\'               5. sucb .. Sottwan. A<:quilIition \xc2\xad\n                    Capability MIlurity Model (SA-CMM) for Iloftw.", acquisltion aod the RaIionaJ Ullified Pl..\xc2\xad\n                    for software _0CIing. We..., aware of the DepanmenlS "\'" of <be CMM for aICbiIlocture, aod\n                    we 1ft IIIIberiDi to aod assessing our progza& in this _ os well .. perfotmiug lIIlJIDII _ .\n                      ,      ems muldocumenling system development ...          : s per OMB and ~ A<:1.\n                    requiremcaIs.\n\n                    Page 11\n                    Fim PiF\'mrpb. add lanfP\'CG \'$ MfOO\xc2\xb7 SUpport d.ocumentatioo also may be faxed to BXA 0DCe\n                    <be Cl<pOItf< has n5alived their ApplicaIiQII CoIlaol Number (ACN) via SNAP, _ BXA has\n                    officially aa:epced lbeir appIicoIiOll. CmraltIy, support clocum<nnuion i& SCOJlDl5d mto !he\n                    MDlDpmpooe Aldlival - . RobievaI System (MARRa) aft<:< the oppliCllllon has been\n                    c:ompI<led b~ tile Lic:cDsiog 0IIicer. SNAP 2002 wiD eliminale!he .-I to IiCllll """"""",laIion It\n                    the boc.k.-:l of the _\n\n                    Thjrd pm.mph\' Additionaldesip peer =iews wue bcld in SqItemher and!\')ocemher 200 1,\n                    mpectively. Beta tertilIg will be held for four _ begimlmg die weeI: of 11811l18Iy 22. 2002,\n                    wilb produclioo """\'"\'ukcI for March 2002,\n\n                    PagelS\n\n                    fjnl ""\'....g1,. The liceasiDg suboystem is part of I multi-year software de\\dopmeDl pUm. The\n                    c:ummt Ilming for dc:taiIed elabomIion ..d COllSIlUelion of tbis subs)\'$lClll is DOt sd>edulc<l1llllil\n                    FY 2003; Ihezdorc, it _        iDaccunIc to . - tbal tb= bas been miDimaI user mvom:m.oJ in\n\n\n\n\n\xe2\x80\xa2                                                                        47\n\x0c\'".\xc2\xad\n  ,.,   \xe2\x80\xa2\n<ll\n\n\n\n\n\xe2\x80\xa2\n            U.S. Department of Commerce                                                                                 Final Report IPE\xc2\xb7I4270\n            O[fU:e of Inspector General                                                                                          February 2002\n\n\n\n\n                         ~~~~~P\'                                       =_.~~-~~\n                         lmcIlDvOSligalive T.ractiDg _1be samo far aIll11bsystems as conllrUClCd.\n\n                         ECASS 2000t IT K<:Urity nquimDonU bave tsm specified. albeit at a higll-levd. Soa::b\n                         roquinmoIds wen: DOl incl1>ded in deIail in 1be SoftWIIIO RequiR:meD1S Spocifu:alioa _\n                         last0\xc2\xab=""""      dley leple"\'i1ed OIl iDilisl view _          on 1be team\'s know1edae atlilOl __\n                         \'lb<oe RCjlIiaemems CDII1d DOl be fiIlS1ized 1lDtil: (I) !be DepaatmeDl solidified its .......\xc2\xad \n\n                         iDfnslruclme, and (2) oar iDtegratiou C<IIlttaClOl: proposed !be ECASS 2000t sysIlOm\n                         softwam\'bmd...... ID additiOll. as DOICd. BXA is oompletiDs irs llqOt ~ (not juat\n                         ECASS 2000t) in _              with Ocpanmallal 8njdllDCe\n\n                         Also, security _             far SNAP bavc been assessed bylbe National Security ApDcy.\n                         agreed to by DOD, and .... wo= Ow the IlCASS :zoooo. front-end projeet. ~,1be\n                         Depat_.. Public Key IDfnlstnaclurc (PKl) pilot proja;I. will provide lICl:lIre cIccaroDic\n                         lnIDSalClicms be<wecD iDdustry and BXA.\n\n\n\n                         nrat nmgmnb last smtenc:e: Although uscn are entitled to express tbcrr a:IDlX:m about\n                         the dc>eJopmcnt of 1be Ii<:alsiDg subsystem I<qUiaemenIS, it is not accunle to_that\n                         SIICIl mJuitemallS """" developed   _Ibeir      inpw.\n\n\n\n\n\xe2\x80\xa2\n                       Many high-level mjUiaemcnla weJe lakeD from woak doDe in 1998 becaIIsc Ircy business .....\n                         SOld _     were still wbat !bey wanted. _         roquinmoIds or funbcr n:fiDCDICDt of 1besc\n                         mJ-1S were gathenld \\broQgh sa1cclod iDteavlcws. The review of !be _\n                         lleqoQaemem Documaa (SRS), publisbcd ill December 2000 by basincaa ....... con6Imcd!be\n                         high-level mquimDonts as defined. lbe level of cle:Iail waa expanded by _ _ go\n                         worl<sbopo wbore ...... _     documcDted 1be l:UlIOlll proc:esses lmcI the \' _ \'\n\n                         IDitial use case& (bow the sysaem lmcI user me to _ I were drafted by cmtiDg ECASS\n                                                                                                            (11"""\'&\'\n                         tam mcmbcn bas\xc2\xbb! on _1CSSiODs, lIDd !beD mmcd ave< 10 the iDtcgnIIiOll _ .\n                         The iDtegratiOll CXlIIlnl:<Orwill, (at the "I\xc2\xa5"I"iat< time) vali_ wilh we< gn>Up6J1!\n                         " " \' _ I S tbrougll _ _ case reviews ill the lDII1ti.year dcvclop<DCll\\ pruject.\n\n\n\n                        Sz:ro1 papsraph:    It was the intmIt from the begimting to IISC eltisIiDg BCASS nprintmanee\n                        contrIlClOISto help """"~ lhc higll1cvd requiremcnIa UDliI aD bttcgntlan CODbaclO< 01..\n                        seIecred. The irnegIzIion _ _\'s job is to dcsigD, implemont, lIDd provide oV"";&h! of the\n                        aodcsigo project. lbe ...................... to implylhat """""\'mg _          .... iDilially\n                         pIamlcd.\n\n\n\n\n                                                                           \xe2\x80\xa2\n\n\n\n\n\n\xe2\x80\xa2                                                                           48\n\x0ce    U.S. Department oj Commerce\n     OffICe of Inspector General\n                                                                                                         Finill Report IPE-14270\n                                                                                                                   February 2002\n\n\n\n\n                  Jt<civcd softwm; devdopmout 1ImniD8 to enable lhem to  0_\n                  Softwg: Acgujiitjoo TrajpiDp"nc first sc:zate:o= ahou1d state that aD k:lIm IMJDbm have\n                                                                                    the project. Tho project\n                  _ _ bas bad previous e<pe,;= in dlis area. Tho ooIy JCmainiog piece of tllIiDiD& IlCI\n                  oompIeled at the lime of the JePOlt was a sell\'                                  "\'pnl",,"""\'\'\n                                                                     men\' of the software ""\'luioiliOll\n                  ouaaIlIy in pIaoe.lmd!he stepS necessary to implemom oaaoinlpnlCCSS iDIpJoYcmolIl. As of\n                  JIDWIIJ\' 17. 2002, the traiIIiDg aDd asv"mmthave beea completed.\n\n\n\n\ne\xc2\xb7\n\n\n\n\n\xe2\x80\xa2                                                               49\n\x0c    \xc2\xab,   \' ..\n\n\n\n\n\xe2\x80\xa2\n     u.s. Department of Commerce                                                                            Final Repol1 IPE-14270\n     Office of Impector General                                                                                      Februnry 2002\n\n\n\n\n                        SI"ATUS OF 1lI991NTERNAL CONnWL RECOMMENDATIONS\n                  28 <e) _         an oflicid dalabtie review boartI.\n\n                  StaIIISl The Milr$one AcJue:vr:mcnt Review Board will be eslablisbed to             _\n                  to !be IlCASS 2lIOO+ system,.!!l!! Iht exming oyRom. Boom membero have been j4OjIOiIC4l1ld\n                  tbetr dDties ...UlIlenIlCd mthe ECASS 2OOOt- Quality Assunmoe Plan. The Boom will beoome\n                  8Clivelllllle _ _ acFY 2002.\n\n                  28 (&) Desiglutte \xe2\x80\xa2 team lO periodicaUy revlCW the    i_\n                                                                         conIroIs and nab asoociated\n                  with BXA\'o 0YJt=, aboat """" a year 0< wben CODditIoos _aDy chan~\n\n                  SIalus, BXA ~ a risk .0\'\'\'0...", of the CUImIl ECASS s _ and bas provided \xe2\x80\xa2 oopy\n                  ac its = t y plan, risk ="\'\'Dr\'\'t, and risk """"lgI"\'D""! plan lO !be 010 for iudependellt wMw\n                  in Deremiter 2001. (Please see Appendix 3)\n\n                  28 (1) UpclaIe the = t COlllinaity of operaIiODS plan (COOP) to include all ~\n                  IDllIlIlaI and S)\'8lCm continsoncY I" _ as SOOIl as possible.\n\n                  StaIIISl BXA pi... lO issue its "",sed ax>P in February 2002.\n\n                  28 (m) Fa!ablisb a risk IDlIIIItgOlDI:It lelDD lO idemify and assess 1bc severity of nsk m BXA\n\n\n\n\n\xe2\x80\xa2                 f.s database ...,iroDmoat, er have a _pedonn 1bcrisk analysis.\n\n                  _       0n&0iD8 J\'I\'XC\'S risks have \'-\'. and 00Dlitwe to be, ideorl!ied, !nICked, and miligaJed\n                  fer beth ECASS and ECASS 2000t-. AD training bas also been oornp.......\n\n                  28 (0) Prepore .BXA syolCm=uDty plan.\n\n                  _      As noIcd above, BXA bas oompIeIed a soauity plan fer ECASS, which will be\n                  IOvicwod and approved by BXA !D"\'!!!IF....\' as part ac Ib<: sy.llem eenilicalioa IIld\n                  ac<::nllIi1ali... podage. BXA bas a COlllr8ClOl\' ptqNIt:ing a security plan for ECASS 2000+\n                  during fis<:aI year 2002.\n\n                  28 (P) Pedoan periodic sewnty review..\n\n                  _ _ morlO 1bc IT Security Action Plan 1Il Appendix 1 for allCbodule of pIatmod\n                  _ t y DOviews m lisc:al year 2002.\n\n                 28 (q) 0fIiciaIJy up tbe _ t y dutico of BXA ~ ~ oys1an 10 BXA .. soauity\n                 ofIicct.\n\n                  SblIus, BXA bas daoignaled an d _ _ ty ofIicct, whid1 was cited as"" OIl1y\n                  1IDOOIIIpIeIed action fM lhi& i - .\n\n\n\n\n\xe2\x80\xa2                                                                  50\n\x0c'